FINANCE FINANCE EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs Joras Ferwerda, Peter Reuter © 2022 International Bank for Reconstruction and Development / The World Bank 1818 H Street NW Washington, DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy, completeness, or currency of the data included in this work and does not assume responsibility for any errors, omissions, or discrepancies in the information, or liability with respect to the use of or failure to use the information, methods, processes, or conclusions set forth. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Nothing herein shall constitute or be construed or considered to be a limitation upon or waiver of the privileges and immunities of The World Bank, all of which are specifically reserved. Rights and Permissions The material in this work is subject to copyright. Because The World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publications, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2625; e-mail: pubrights@worldbank.org. The authors gratefully acknowledge helpful comments from Kateryna Bogulslavska, Steve Dawe, Elisa de Anda, Mario Gara, Tom Keatinge, Michael Levi, Mark Nance, Michele Riccardi, Jason Sharman, and Tjalling Jan van Koningsveld, and also thank the reviewers selected by the World Bank for this publication. The authors are responsible for any remaining errors. Cover design and layout: Diego Catto / www.diegocatto.com >>> Contents Foreword 4 Abstract 5 1. Introduction 6 Contributions of the report 7 2. NRAs and the Risk-Based Approach to Fighting Money Laundering 8 3. Study Data and Methods 10 4. Characterizing the Eight NRAs 12 Conceptualization 12 Threat Assessment 12 Vulnerability 14 Risk 15 Data Sources 15 Method of Analysis 16 Outputs 17 5. How Strong Are the NRAs? 19 Conceptual Analysis 20 Data Sources 21 Outputs 21 Analysis 21 6. Path Forward 23 Risk Assessment Lessons from Other Fields 23 The Problem of Endogeneity 24 Audiences for the Published National Risk Assessments 25 Data sources 26 Analytic Methods 28 7. Concluding Comments and Recommendations 29 Appendix A. NRAs Published by OECD Countries 31 Appendix B. The FATF Approach to Risk Assessment 33 Appendix C. How Useful Is Estimating the Risk Before Policy Intervention? 35 Appendix D. Why Are the Current NRAs Not Stronger? 37 List of National Risk Assessment Documents Reviewed 39 References 40 >>> Foreword A robust assessment and understanding of the risks of money laundering and terrorist financing in a jurisdiction are prerequisites to effectively protecting it against criminal abuse and contributing to the global efforts against financial crime. The World Bank Group (WBG) has been at the forefront of international efforts to help countries implement risk-based approaches to anti-money laundering and countering the financing of terrorism (AML/CFT). The WBG has supported more than 100 client countries in building their capacity in this area. The WBG has always sought to enrich and influence the international debate about AML/CFT with analysis and research, often in collaboration with academia. A data-driven and academic perspective should aid policy makers in designing evidence-based policies and in assessing the impact and effectiveness of those policies. Nearly a decade after the Financial Action Task Force (FATF) introduced requirements for assessments of money laundering and terrorism financing (ML/TF) risks, the international community is at the right point to review the past 10 years and assess whether the risk-based approach to AML/CFT is developing as intended. What is working, what is not working, and how can we bolster a risk-based culture and operational focus? The answers to those questions are particularly relevant to most of the World Bank’s client countries, which need to prioritize their limited resources strategically to fight financial crimes while strengthening financial inclusion. It is in this spirit that we welcome the work done by two distinguished academics, Joras Ferwerda and Peter Reuter, that evaluates the quality of ML/TF risk assessments by eight countries and draws lessons to guide future risk assessments. This research was conducted independently by the authors in their academic capacity. In recognition of this study’s added value to current literature, the World Bank has facilitated and led a peer review of the study, with contributions from internal and external experts. Any opinions or findings in the study belong to the authors only and do not necessarily reflect the views of the WBG, its management, or its board. Indeed, differences exist between the views of the authors and the approach used by World Bank technical teams—in capacity-building activities, for instance—in defining, describing, and analyzing ML/TF risks. Those differences are healthy, however, as they can contribute to a welcome debate on the topic. We hope that this study will guide the international community, notably World Bank clients, in improving its approach to assessing and understanding ML/TF risks. I would like to take this opportunity to thank the authors and peer reviewers of the study for their important contribution to the AML/CFT literature. The World Bank teams leading the work on financial integrity will continue to actively contribute to the global discussion on ML/TF risks and the effectiveness of AML/CFT policies and actions while helping emerging markets and developing economies protect themselves from the insidious impact of financial crime. Jean Pesme Global Director, Finance Finance, Competitiveness and Innovation World Bank Group <<< 4 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs >>> Abstract The Financial Action Task Force (FATF) requires national governments to demonstrate an understanding of the money laundering risks in the country. Such an understanding is the foundation for effective control of money laundering under the risk-based approach the FATF calls for. We analyzed the National Risk Assessments (NRAs) published by eight systemically important countries to test whether they demonstrate that basic understanding and to draw lessons for national governments from those NRAs. The eight show very different conceptualizations, analytic approaches, and products. Each raises serious issues regarding the risk assessment methodology. For example, most relied largely on expert opinion, which they solicited in ways that are inconsistent with the well-developed methodology for making use of expert opinion. They misinterpreted data from suspicious activity reports and failed to provide risk assessments relevant for policy makers. Only one described the methodology employed. Although the challenge of conducting strong risk assessments is great, given the difficulty of estimating the extent of money laundering in any sector, the findings based on this limited sample point to ways to improve substantially on existing practices. The report concludes with a set of suggestions for (international) policy makers and those conducting NRAs for improving risk assessments. Suggestions include increased clarity about the conceptualization of risk, transparency about data and methods so that each country can learn from others, and the adoption of more formal and standardized methods of eliciting expert opinion. 1. >>> Introduction Making the laundering of criminal money riskier and more expensive is now seen as a routine function of government. To achieve that goal, a far-reaching set of controls, which we shall refer to as the anti-money laundering (AML) regime, has been developed. The creation of the AML system has occurred largely under the aegis of the Financial Action Task Force (FATF), created in 1989 by the G7 and now a permanent body.1 The FATF has a membership of 37 nations, but almost all other countries are members of the FSRBs—FATF-style regional bodies—that are themselves associate members of the FATF. The AML system imposes a set of obligations on financial institutions—including banks but extending much more broadly to other financial institutions, businesses, and professions (DNFBPs: Designated Non-Financial Businesses and Professions)— to prevent criminals or terrorists from establishing accounts or conducting transactions through existing accounts. Among other requirements, these institutions, businesses, and professions must undertake customer due diligence (CDD) checks and identify and report suspicious transactions. Failures to do so may lead to criminal and civil fines issued by national authorities against the financial institution or DNFBP; fines occasionally have been in the hundreds of millions of dollars.2 The FATF regime deals with the fight against money laundering and terrorist financing; it is usually referred to as the AML/CTF (Anti-Money Laundering and Counter Terrorism Finance) regime. This report focuses on money laundering only. Whereas the goal of money laundering generally is to make large sums of illegally earned money appear legal, the goal of terrorist financing generally is to use relatively small sums of often legally earned money for an illegal act (Ferwerda 2012). Although some of the observations and conclusions in this report also apply to the fight against terrorist financing and the related risk assessments, this analysis focuses on money laundering and uses only money laundering examples in the argumentation. The risk assessments of terrorism finance in the NRAs are much briefer than those for money laundering,3 which surely reflects the highly classified nature of much that is relevant to CTF risk assessment; thus, outside observers can do less to evaluate the adequacy of terrorism finance risk assessments.4 1. The 2019 Ministerial mandate declared that the FATF was no longer a temporary body. https://www.fatf-gafi.org/media/fatf/content/images/FATF-Ministerial- Declaration-Mandate.pdf. 2. The list of major banks receiving large fines includes HSBC, ING, Wachovia, Credit Suisse, Danske Bank, and Wells Fargo. All of the 10 largest European banks have been fined for money laundering violations, primarily related to sanctions violations. 3. Generally, vulnerability sections discuss preventive measures and therefore cover money laundering and terrorist financing together, but in threat assessments, money laundering and terrorist financing are separated. To give an idea of how brief terrorist financing threats tend to be discussed in NRAs, the terrorist financing threat section of the NRA of Canada (2016) consists of only four pages; Italy (2014), six pages; Japan (2015), one page; Singapore (2013), four pages; Switzerland (2015), seven pages; UK (2015), nine pages; and the United Kingdom (2017), three pages. The published NRAs of the Netherlands and the United States that were analyzed focus only on money laundering. 4. The Interpretive Note to Recommendation 26 states, “Risk-based approach to supervision refers to: (a) the general process by which a supervisor, according to its un- derstanding of risks, allocates its resources to AML/CFT supervision; and (b) the specific process of supervising institutions that apply an AML/CFT risk-based approach” (FATF 2012, 94). <<< 6 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs In 2012, the FATF introduced an important new requirement— namely, that nations carry out a National Risk Assessment Contributions of the report (NRA). The requirement is motivated by the shift from a rule- based AML system, in which financial institutions (FIs) had to This report attempts to make two broad contributions. First, follow procedures specified by law and regulation, to a risk- sections 3 and 4 offer the first systematic review of multiple based approach (RBA), in which FIs and DNFBPs adjust NRAs. A lengthy search for published critiques of specific their procedures and policies on the basis of their specific NRAs turned up only one (Hopkins and Shelton 2019, on the relevant risks. The risk-based approach is not just a challenge UK). Only our earlier article comparing the NRAs of Italy and to entities subject to AML requirements; it also imposes new Switzerland has attempted anything more ambitious (Ferwerda obligations on the government because regulators must and Reuter 2019). This report shows the great variety of determine whether the FIs understand the relevant money methods and outputs of just these eight NRAs; the nature of laundering risks and adapt accordingly. the data used reveals less variety. We also suggest that current practice fails to conform to what is called “risk assessment” in In effect, the question that the NRAs set out to answer is fields other than terrorism, which provides a poor fit with the whether the nation’s government5 understands how money risk assessment needs for money laundering. Current practice laundering risks are distributed. Insufficient understanding of also does not provide much useful information for policy money laundering risks makes it challenging for a government makers (whether regulators or law enforcement agencies). to implement an effective risk-based anti-money laundering Following guidance from the FATF, the NRAs present a great regime. If, for example, a government cannot assess whether deal of information on “threats” that is eventually not used retail banks are more or less risky than private wealth funds to determine risks. Some countries present no actionable as institutions through which to launder criminal earnings, findings. The empirical analysis of suspicious activity reports then the government will be unable to determine how it should is often misleading and incorrectly interpreted. The outputs of allocate supervisory and investigative resources among the the NRAs vary greatly in their utility. Overall, our findings are different classes of banks. At a minimum, AML will be less distinctly critical. effective than it should be—perhaps even highly ineffective. Second, this report offers possible explanations for the This report examines the published NRAs of eight countries weaknesses of the NRAs (section 4) and, more importantly, identified by the International Monetary Fund (IMF) as suggests a path forward (section 6) and concrete systemically important; they are indeed, as explained later, recommendations (section 7). We note that except for the Dutch among the most important.6 They were chosen as among the NRA, the publications fail to describe how data were collected most sophisticated countries in terms of financial regulatory and analyzed, even though the NRA exercise is intended to be capacity and stability and are therefore expected to have regularly conducted. The NRAs examined here are generally among the most advanced anti-money laundering frameworks first efforts at risk assessment in a field that does not have much and National Risk Assessments. This report assesses of a scholarly research base. We identify the appropriate risk whether, on the basis of information that is publicly available, concepts, how expert opinion (the bedrock source of data) can these NRAs demonstrate adequate knowledge of money be used more systematically, what databases on transactions laundering risk. The report identifies ways in which NRAs need to be created, and how “mystery shopping” could advance and, thus, the international AML regime could be implemented understanding. The report shows relatively simple ways in more effectively. We discuss the implications of our choice of which the field could develop more rapidly. these countries in section 3. 5. We use the vague term government because so many agencies are involved in AML regulation—notably, supervisory and investigative agencies—that the number may amount to tens of agencies. For example, in Singapore, the smallest jurisdiction in our sample, the NRA listed 15 agencies involved in its preparation (p. 2). 6. The International Monetary Fund identifies 29 systemically important jurisdictions in its Financial Sector Assessment Program: https://www.imf.org/en/About/Factsheets/ Sheets/2016/08/01/16/14/Financial-Sector-Assessment-Program. <<< 7 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs 2. >>> NRAs and the Risk-Based Approach to Fighting Money Laundering The FATF formally introduced the risk-based approach to the fight against money laundering in its Forty Recommendations of 2003 by specifying that “Financial institutions … may determine the extent of such measures on a risk sensitive basis” (FATF 2003). The Risk-Based Approach (RBA) only became mandatory in 2012. RBA means that banks and other reporting institutions could no longer follow the specified rules blindly (as under the rule-based approach) but had to actively assess the risk of money laundering associated with a specific customer/transaction to match the rigor of their AML measures. For example, transactions involving complex and opaque corporate vehicles might be identified as high risk, so that any transaction involving such an entity would be subject to more intense scrutiny or a product (small retail bank deposits) might be identified as very low risk and receive less than average scrutiny. The risk-based approach has been applied not only to the reporting entities. This point is so central to our analysis that we quote the FATF (2012, 9) Recommendation 1 in full: Countries should identify, assess, and understand the money laundering and terrorist financing risks for the country, and should take action, including designating an authority or mechanism to coordinate actions to assess risks, and apply resources, aimed at ensuring the risks are mitigated effectively. Based on that assessment, countries should apply a risk- based approach (RBA) to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified. This approach should be an essential foundation to efficient allocation of resources across the anti-money laundering and countering the financing of terrorism (AML/CFT) regime and the implementation of risk-based measures throughout the FATF Recommendations. Where countries identify higher risks, they should ensure that their AML/CFT regime adequately addresses such risks. Where countries identify lower risks, they may decide to allow simplified measures for some of the FATF Recommendations under certain conditions. Countries should require financial institutions and designated non-financial businesses and professions (DNFBPs) to identify, assess and take effective action to mitigate their money laundering and terrorist financing risks.7 7. The FATF Recommendations were updated in 2020. Recommendation 1 did not change regarding money laundering risks; a paragraph was added about proliferation financing risks. <<< 8 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs We take “countries” to refer to “governments.” This makes warning suggests pessimism about the initial NRAs of these clear that supervisors of AML regulations (for example, bank eight countries, almost all of which were done in the looming regulators, insurance regulators, sometimes professional shadow of a fourth-round mutual evaluation report.12 associations8) should apply their supervision on a risk basis as well. Those reporting institutions and sectors that are So what is the exact policy issue or issues that NRAs are deemed riskier should receive more supervisory attention. trying to inform? As noted, the FATF Guidance states that Recommendation 1 implies, less clearly, that enforcement an NRA “assists in the prioritization and efficient allocation agencies should also allocate their resources to reflect the of resources by authorities” (FATF 2013a, 4). Spending distribution of risk across potential channels9—thus, the resources efficiently is desirable, in line with the risk-based importance of risk assessment by the government. approach, but what should be the dimensions for allocation? Different regions? Different sets of financial institutions? Although the risk-based approach in the field of money Different kinds of crimes? The FATF Guidance is vague on this laundering was promulgated in 2003, no published focused point except for stating that assessments “may also form the risk assessment on the national level appeared until about 10 basis for determining whether to apply enhanced or specific years later.10 The FATF revised its Forty Recommendations in measures, simplified measures or exemptions from AML/ 2012 and declared that countries must demonstrate knowledge CTF requirements” (FATF 2013a, 4). That statement clarifies of the distribution of risks within their jurisdiction, although that the policy decision the NRA should inform is how FIs and without explicit mention of a National Risk Assessment. The regulatory agencies allocate resources and indicates that the next year, the FATF published general guidance for performing concern is how the risks are spread across different sectors, national risk assessments (FATF 2013a). The published NRAs which we take to mean classes of regulated institutions. We came only after the requirement to perform one, when Serbia, conclude that an NRA should at least provide information Singapore, and Sweden published so-called National Risk about the relative risks of each sector, which is what most of Assessments in 2013.11 As Rausand (2013), an authority the 11 NRAs aimed to do.13 Obviously, an NRA can provide in the field of risk assessments, warns, “A risk assessment much more information about money laundering risks, such should never be performed simply to satisfy some regulatory as the most significant forms of laundering, but insights on requirement. Rather, it should be performed with the intention the relative risks across sectors should be considered the of providing information for decision making about risk.” That bare minimum. 8. In some countries, the government may place regulation of a particular profession in the hands of a professional body, not itself governmental. For example, the British NRA identifies 15 separate professional associations with AML responsibilities. 9. FATF’s 2013 NRA Methodology refers to the Interpretive Notes for Recommendations 26 and 28. These are both explicitly addressed to supervisors and regulators and contain no comparable text explicitly for enforcement agencies. 10. This raises the question of whether risk assessments were prepared but not published. Some such assessments for specific threats were prepared in the United States, but we have found no evidence of similar efforts in the other seven countries. Certainly, none are referred to. 11. Countries trying to inform their policy decision making in the 10 years in between (2003 through 2012) did not feel the need to prepare such risk assessments (see appendix A).The most notable exception is New Zealand, which published a national risk assessment in 2010. 12. Some form of evaluation has been part of the FATF system since its founding. The fourth round of evaluations, which began in 2014 and will extend over eight years, is the first round requiring that governments demonstrate a knowledge of risks. Canada published its NRA in 2015 and was visited for evaluation later that year. Italy published its NRA in 2014 and was visited in 2015. Japan published its NRAs in 2015 and 2017 and was visited in 2019. The Netherlands published its NRAs in 2017 and 2020 and was visited in 2021. Singapore published its NRA in 2013 and was visited in 2015. Switzerland published its NRA in 2015 and was visited in 2016. The United Kingdom published its NRAs in 2015 and 2017 and was visited in 2018. The United States published its first NRA in 2015 and was visited in 2016. 13. The World Bank tool to conduct a money laundering NRA estimates those risks per sector but can also be used to identify, for example, main predicate crimes, the risks of different financial products, financial inclusion effects, and money laundering risks coming from different types of legal persons. <<< 9 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs 3. >>> Study Data and Methods This section analyzes 11 National Risk Assessments published by eight advanced countries— Canada, Italy, Japan, the Netherlands, Singapore, Switzerland, the United Kingdom (UK), and the United States (US)—before 2020.14 Three countries—Japan, the UK, and the US— published two NRAs during that time. All eight countries are FATF members. Included are two of the jurisdictions most prominent in the creation of the FATF, the UK and the US. Those two countries, plus Singapore and Switzerland, are among the most important global financial centers (Long Finance & Financial Centre Futures, 2020, 4). The jurisdictions span the globe— four in Europe, two in North America, and two in Asia. The IMF identifies these countries as jurisdictions with a systemically important financial sector.15 Five of the G7 are included (only France and Germany are not in our list); thus, the NRAs of these eight countries might be seen as including those most capable to be state-of-the-art, providing a particularly striking finding if the maintained hypothesis (competent at risk assessment) is disconfirmed. The data in this report come from what the nations chose to publish. Other risk assessment documents may exist that were not published.16 Only the NRA of the Netherlands explicitly states that the published risk assessment is the only one that was produced.17 The existence of other unpublished reports suggests that we cannot assess the government’s competence simply from what is published; however, our analysis focuses not on the specific risks but on the way the analysis was performed. The logic for the government choosing to publish a report that shows less analytic competence than it demonstrates in the unpublished versions is hard to fathom. The unpublished reports may simply be more detailed and include information that should not be made public. We interviewed individuals who contributed to five of the NRAs: Canada, Italy, the Netherlands, Switzerland, and the UK. Primarily, we relied on the NRAs. Most reports provide only brief descriptions of methodology, a point that we emphasize as a weakness because NRAs are not one-time efforts but are intended to provide ongoing guidance.18 All except that of Singapore show the extent to which they relied on specific data sources: suspicious activity reports (SARs), expert opinion, vignettes, and so forth. We made no effort to assess the accuracy with which they represented those sources. 14. Two other NRAs by these countries were not included. A 2019 Italian NRA has not been published in English. Since this work finished, three of these countries have published additional NRAs: Japan published a third NRA, the Netherlands published a second NRA, and the UK published a third NRA. A further analysis into NRAs suc- ceeding the ones this report focuses on can indicate to what extent a learning effect takes place within countries. 15. https://www.imf.org/external/np/fsap/mandatoryfsap.htm. 16. For example, the 2014 mutual evaluation report for Spain referred to a variety of risk assessments that were prepared for specific sectors and agencies. It stated that “Spain has a high level of understanding of its ML/TF risks” (p. 5). Spain did not publish or execute an overall NRA. 17. In an interview with Canadian authorities (on April 1, 2018), we learned that Canada has an unpublished version of the report with more sensitive results. In the published NRA of Italy, sensitive results concerning the distribution of predicate crimes were left out; for this report, we gained access to the unpublished version of the Italian NRA. 18. The FATF Guidance states, “Recommendation 1 requires that countries assess risks ‘on an ongoing basis’ and that they keep assessments up-to-date” (FATF 2013a, 18). <<< 10 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs For analysis purposes, we used a four-part framework to summarize and compare the eight NRAs: 1. CONCEPTS USED. Threats and vulnerabilities—the central concepts in the FATF framework—were almost universal, although variably interpreted; however, some NRAs also incorporated the concepts of inherent risk, country risk, and consequences. 2. DATA SOURCES. Most used suspicious activity reports,19 enforcement actions, and expert opinion; occasionally, they also used vignettes (brief case descriptions). 3. ANALYTIC METHODS. This was the hardest category to code because little was said explicitly except in the NRAs of the Netherlands and Switzerland. 4. OUTPUTS REPORTED. A few countries provided detailed tables, showing, for each sector, the levels of threat and vulnerability. Only Italy went the next step and showed which additional regulatory interventions would be most effective for each sector. 19. In some countries, these are called suspicious transaction reports; in the Netherlands, the term is unusual transaction reports. SARs is used to cover all three terms. <<< 11 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs 4. >>> Characterizing the Eight NRAs Conceptualization Whether or not a country’s NRA was explicit about concepts (Japan’s was not), it always adopted the FATF framework of identifying threats and vulnerabilities;20 given that those NRAs were usually prepared in advance of the FATF’s mutual evaluation, that finding is hardly surprising because conformity with the FATF NRA methodology was an element of the judgment made by Mutual Evaluation Report (MER) assessors. We discuss the threat assessment and the vulnerability assessment separately. The FATF Guidance (2013a) states that the consequences of money laundering, which ideally should be part of a risk assessment, are likely difficult to measure. No country made an explicit effort to assess consequences except the Netherlands, where experts were asked about the potential impact of 10 specific risks. Canada’s NRA provided an appendix of possible consequences not included in the analysis of the body of the report. Threat Assessment All but the Japanese NRA include an explicit threat assessment (TA), thus conforming to the broad FATF Guidance; however, the seven countries conduct the TA in a variety of ways. Given our skepticism about the utility of the threat assessments as implemented, we examined whether the TA played a role in the NRA conclusions. What was meant by “threat” varied substantially. Some countries identified persons as threats: for example, Canada identified a threat as “a person or group who has the intention, or may be used as a witting or unwitting facilitator, to launder proceeds of crime or fund terrorism” (p. 15). Threats were identified then as specific groups, such as organized crime groups and professional money launderers. Other countries, such as Singapore, identified particular crimes as constituting the threat. None presented quantitative measures of the threat but simply identified the principal ones, perhaps with an implied ranking. In all cases, the threat assessment was at the national level, not specific to a particular kind of financial institution or DNFBP. 20. See appendix B for a discussion of the FATF approach to risk assessment and the risk-based approach. <<< 12 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs A threat assessment for money laundering is useful to show to the results of the threat assessment when reporting risk level knowledge of the crime and money laundering situation in the findings, but because the threat to all sectors is, by definition, country, but as operationalized in these eight NRAs, the threat the same in their methodologies, the threat assessment does assessment generally does not inform the risk-based approach. not affect the relative risk scores for different sectors. Japan, In only one of the eight NRAs did the eventual risk level the Netherlands, and Singapore make no explicit reference findings for a sector depend on information or results from the to information in the threat assessment when discussing the threat assessment: Switzerland uses an explicit formula (see conclusions on sectoral risk levels. None of the eight NRAs Ferwerda and Reuter 2019, 17–18) to relate characteristics of use information or results from the threat assessment for SARs (such as the amount of money involved and the country policy recommendations. Countries are including threat of origin) to estimate the risk for different sectors—that is, to assessments in NRAs, but they are struggling to find ways what extent transactions in the sector share characteristics of to use the results of those threat assessments (see table 1). known suspicious transactions. Canada, Italy, and the UK refer > > > T A B L E 1 - The (Main) Focus of the Threat Assessment and How the Information Is Used What is the (main) TA affecting risk TA affecting policy Country focus of the TA? level findings? recommendations? Not really; threat is the Canada Ranking importance of a long list of crimes No recommendations same for all sectors Not really; threat is the Italy Ranking importance of different crimes No explicit reference same for all sectors Japan Share of predicate crimes in ML cases No explicit reference No explicit reference Netherlands Listing of relevant ML methods and channels No explicit reference No explicit reference Little domestic ML; limited categorization of Singapore No explicit reference No explicit reference international predicate crimes Share of suspected ML offenses for a limited Switzerland Yes, but with debatable formula21 No explicit reference categorization of crimes Description of predicate crimes and the available Not really; threat is the UK No explicit reference revenue estimates same for all sectors US Description of predicate crimes No risk level findings No recommendations ML = money laundering. TA = threat assessment. UK = United Kingdom. US = United States. Source: Created by the authors from individual NRAs. 21. See Ferwerda and Reuter (2019, 17–18) for a discussion. <<< 13 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs Vulnerability The UK provides an explicit definition of vulnerability. vulnerable.23 The extent of non–face-to-face transactions was “[V]ulnerability is a concept encompassing things that can be an instance of product characteristics affecting vulnerability. exploited by the threat or that may support or even facilitate its activities. Distinct from threat, vulnerabilities are factors that The section of the NRA that is supposed to discuss represent weaknesses in the AML/CFT systems” (p. 9). Other vulnerabilities often seems to equate them with risk (see NRAs are less explicit; indeed, the Japanese NRAs barely the NRAs of Japan, Singapore, Switzerland, and the mention either vulnerability or inherent risk. 22 Netherlands)—another example of conceptual confusion. Considerable emphasis was given to vulnerability, although A money laundering vulnerability can be caused by legal or it was often identified as “inherent risk,” a serious misuse of institutional weaknesses. Most countries24 devote a significant standard risk assessment terminology. Canada provided the part of their NRA to a section describing the relevant AML most detailed guidance to experts for assessing inherent regulations. An overview alone of the AML regulations in place, risk, with five distinct components, such as geographic reach, however, is not a vulnerability analysis; the description of demography, and economic structure. For example, because weaknesses of the system is the relevant area for the vulnerability the country has a large and diverse foreign-born population analysis. Countries such as Singapore, Switzerland, and the UK (with more than 200 ethnic origins), it will have financial include comments on legal and institutional weaknesses in their connections to high-risk countries. Similarly, the very open vulnerability analysis, but for other countries, such as Japan and borders with the US facilitate cross-border laundering from the US, such comments are absent. Table 2 gives a comparative the US. A sector that deals with high-risk regions is more overview of the main differences in vulnerability analyses. > > > T A B L E 2 - Vulnerability Analysis Has a section devoted to Analyzed inherent or Described legal and Analyzed different Country vulnerabilities? remaining vulnerabilities? institutional weaknesses? sectors? No, not part of the inherent Canada Yes Inherent Yes vulnerability Included some comments Italy Yes Remaining Yes on differences between sectors but not the focus Japan Mixed with risks Both No Yes Only national vulnerabilities Not specifically, only a measure of the Netherlands Remaining No described in the introduction resilience of policy instruments Yes, explicit institutional Singapore Mixed with risks Both Yes weaknesses per sector Switzerland Mixed with risks Remaining Yes Yes UK Mixed with risks Both Yes Yes US Mixed with risks Remaining No No UK = United Kingdom. US = United States. Source: created by the authors of this report. This is a summarizing table, which does not show details and nuances. For instance, some countries’ NRAs mention both inherent vulnerabilities and observed vulnerabilities (for example, Japan), but not necessarily with a side-by-side analysis of the inherent and observed vulnerabilities for each sector. 22. The term vulnerabilities appeared three times in the Japanese NRA in 2015 and four times in 2017; inherent risk four times in 2015 and once in 2017 but only in lists, never as the label for any data or specific judgments. 23. The five were listed and described as follows: “1) Inherent Characteristics: the extent of the sector’s economic significance, complexity of operating structure, integration with other sectors, and scope and accessibility of operations. 2) Nature of Products and Services: the nature and extent of the vulnerable products and services and the volume, velocity, and frequency of client transactions associated with these products and services. 3) Nature of the Business Relationships: the extent of transactional versus ongoing business, direct versus indirect business relationships, and exposure to high-risk clients and businesses. 4) Geographic Reach: the exposure to high-risk jurisdictions and locations of concern. 5) Nature of the Delivery Channels: the extent to which the delivery of products and services can be conducted with anonymity (face-to-face, non-face-to-face, use of third parties) and complexity (e.g., multiple intermediaries with few immediate controls.” (p. 31) 24. Six of the eight countries have a significant section devoted to describing AML regulations: Italy, Japan, the Netherlands, Singapore, Switzerland, and the UK. The other two, Canada and the US, describe specific AML regulations where relevant but do not have a section providing an overview. <<< 14 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs Risk financial intelligence unit (FIU) is the central institution for the NRA, mainly uses the FIU access to the SAR database. The US primarily bases its 2016 analysis on a set of 5,000 closed Canada, Italy, the Netherlands, Switzerland, and the UK cases related to money laundering. Even though this is an distinguish between inherent risk and “mitigated risk.”25 Canada’s unprecedented source of information in the field of money NRA describes only the inherent risks; indeed, that fact is made laundering research, the US NRA unfortunately does not explicit in the title: Assessment of Inherent Risks of Money produce a single table about the contents of that database; Laundering and Terrorist Finance in Canada. The UK produces instead, it is used only as a source of vignettes. Countries a table that specifies (with a precise number) the amount of often mention other sources of data, but when the rest of the inherent risk and the amount of risk remaining after mitigation. The report does not clarify whether and how those data sources Netherlands implicitly tries to do something similar.26 Estimating were used, we classify the sources as minor in table 3. For both inherent risk and mitigated risk seems useful as a way of example, Canada mentions that the assessment is based on “a making the effect of AML efforts explicit. Even though the FATF rigorous and systematic analysis of qualitative and quantitative Guidance does not prescribe that approach, most countries in data and expert opinion” (p. 15), without ever making explicit our sample effectively did so. Without more specific guidance, which qualitative and quantitative data were used. The rest of it is not surprising that the operationalization of these concepts the Canadian report lists only the results of expert elicitation, diverges significantly across countries. Appendix C discusses to making impossible a determination of whether and which other what extent such an analysis is useful and feasible. sources were used in the assessment. Japan and Singapore are not explicit enough about their sources of data or their The risk analysis is generally mixed with the vulnerability methodology to determine what served as the main source analysis. Risk analysis is therefore not suitable for a summary of data. table in the manner we used for threat and vulnerability. The discussion on outputs in this section gives an overview of what The data sources were inadequately described except in the the NRAs report in terms of risk rankings and to what extent Netherlands NRA, which was an outstanding exception. For the outputs inform a policy decision. example, none of the other NRAs gave the number of experts who were consulted, and only rarely were their professional qualifications listed. The quality of statistical series (for Data Sources example, whether the total number of money laundering convictions covered all levels of government in federal nations, such as the US and Canada) were rarely assessed. Canada, Italy, the Netherlands, and the UK use expert opinion as their principal source of data. Switzerland, where the > > > T A B L E 3 - Specified Data Sources for Assessment27 Expert opinion STRs/SARs Closed cases Vignettes Statistics from agencies Literature/reports Canada Main Italy Main Minor Minor Minor Minor Minor Japan Minor Minor Minor Netherlands Main Minor Singapore Minor Switzerland Minor Main Minor Minor UK Main US Minor Minor Main Minor Minor SAR = suspicious activity report. STR = suspicious transaction report. UK = United Kingdom. US = United States. Sources: Canada, pp. 15; Switzerland pp. 13–14: Italy methodology, pp. 5–6; Italy, pp. 3028; Netherlands, pp. 20–22; Singapore, pp. 2; UK, p. 10;29 US, p. 7. Main data source is a direct, principal source of information used to assess risk or relevant risk concepts (main sources are shaded green to increase visibility). Minor data source is mentioned or shown and has been used (a) to describe context, (b) as input for expert elicitation, or (c) to support an assessment, but it is not a direct, main, explicit source to assess risk or relevant risk concepts. Because the way risks are assessed (and with which data) in Japan and Singapore is insuf- ficiently clear, the table lists only minor sources for those two countries. 25. Terminology on this point was inconsistent; we believe this term best captures the general notion. 26. The concluding section of the Dutch NRA provides tables on the amount of potential risk and the resilience per risk (pp. 64–65), but whether those tables must be combined to find the residual risk remains unclear. 27. The table gives an overview of the data sources that are specified in the NRAs as data sources. Unspecified data sources are not shown in the table. For the countries that produced two NRAs, we do not see significant differences in the use of data between the two reports and therefore present them together in this table. 28. This is the published version, called “synthesis.” 29. “The conclusions of the assessment in this paper draw heavily on expert judgment from law enforcement agencies, supervisory authorities, and those responsible for AML/ CFT within firms” (UK 2015, 10). <<< 15 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs Only the United Kingdom gave attention to the limits of most advanced analytical model, with a multi-criteria decision government knowledge about money laundering and the analysis applied in two expert meetings.32 Canada and Italy consequences of those limits. The UK NRA noted that more also convened experts in workshops to elicit opinions, which was known about the use of cash because that had been the raises the question of what to do when experts disagree. The focus of investigations, hence cash was probably given too Dutch NRA reports the standard deviation in the answers of much emphasis as a source of threat.30 That circumstance the experts but then just uses the simple average in drawing surely was true for other countries as well, but we believe that conclusions. In Canada, the authors of the NRA listened to the only the UK acknowledged that limitation and its consequence. different opinions and the argumentation offered in support of those opinions; they then decided themselves which opinion to choose.33 In Italy, the workshop participants were told that they Method of Analysis had to reach consensus.34 Countries that did not use expert elicitation as their main method of analysis still used expert opinion in their analysis in some way. Singapore and Japan Countries vary greatly in how explicitly they describe the used experts to validate the findings from other analyses. The method of analysis (see table 4). The Netherlands was most US consulted 15 government agencies for the NRA, without transparent about the methodology—for example, providing making explicit what was asked and how the information a full description of the scripts used in workshops with was used. The UK mentioned a specific model that was experts. Although the US NRA of 2018 had a section called used for data analysis (MoRiLE: Management of Risk in Law methodology (p. 6), that section actually described nothing Enforcement), but we could not find a detailed description of more than the terminology used in the NRA. Singapore gave that model or how it was implemented in this case.35 no information about the method of analysis. Switzerland stated that the quantitative analysis was supple- In a field in which strong quantitative data are hard to come mented with a qualitative analysis, without making explicit how by, that the knowledge of experts is relevant for all NRAs is not this was done. Mixing quantitative and qualitative analysis is surprising. How that expert knowledge is collected and used notoriously difficult (Creswell and Clark 2017), but the ana- in the analysis differs widely. Canada, Italy, the Netherlands, lyst can use some simple, sound practice principles, such as and the UK all explicitly used expert elicitation31 as their main providing explicit statements about the relationship between method of analysis. The UK and the Netherlands used a formal findings in the two modes and which one, if either, is dominant. model for expert elicitation. The Netherlands seems to have the Those principles were not followed in any of the NRAs. 30. “The UK’s law enforcement agencies know most about cash-based money laundering. This is a result of the resources that law enforcement agencies have invested over a number of years in tackling cash-based money laundering and the drugs trade (which largely generates proceeds in the form of cash) which has long been recognized, and continues to be recognized, as posing a high money laundering risk.” UK, 2015, p4 31. Expert elicitation is a structured approach to systematically consult experts on uncertain issues (Knol et al. 2010). 32. Multi-criteria decision analysis “is a method used to facilitate the most rational choice possible from a range of potential policy decisions or other decisions. MCA gives both structure and transparency to complex decision-making processes, allowing the MCA method itself to be developed and fine-tuned. If new information becomes available on the elements in the method, such as the criteria, the method can be adapted accordingly.” (Netherlands NRA 2017, pp. 24–25). One disadvantage of the MCA applied in the NRA is the reliance on expert judgments that are themselves inherently subjective and are expressed in the scores used for the MCA calculations. 33. This method has not been made explicit in the NRA. The source for this information is an interview on April 1, 2019, by Joras Ferwerda with three Canadian government officials responsible for the ongoing risk assessment. 34. One hypothetical advantage of requiring consensus is that the group ultimately defers to its most knowledgeable member. Assuming that such expertise will dominate, how- ever, or that a measure of expertise exists to determine who ought to be the highest authority is too optimistic. Considerable evidence exists that face-to-face interaction between group members can create destructive pressures of various sorts, such as domination by particular individuals for reasons of status or personality unrelated to their capability as probability assessors (Myers and Lamm 1975). Seaver (1978) conducted a series of experiments with 10 four-person groups and concluded that simple aggregation of opinions without interaction produces the best results. He also noted that experts have more faith in assessments with face-to-face interaction, which might be important in persuading them to accept the results. 35. We not only conducted a web search for MoRiLE but also asked UK NRA staff for the details; neither effort was successful. <<< 16 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs > > > T A B L E 4 - Method of Analysis Expert opinion Expert elicitation. Experts informed with basic facts and figures for 22 crimes and 27 products/sectors. Experts rated the Canada characteristics to generate threat and vulnerability ratings in a workshop. Criteria for ranking made explicit; no specification of how the data were analyzed. Expert elicitation. Experts informed with basic facts and figures for two amplifiers (cash and shadow economy), nine crime Italy categories and structural risks, and preventive safeguards in 20 sectors. Experts discussed in a workshop until consensus reached about rating. Japan Many statistics show no analysis conducted. Expert validation of findings. Expert elicitation with multi-criteria decision analysis. E-mail survey to select 10 main threats, followed by two workshops Netherlands with experts. Full description of workshop scripts. Validation with interviews. Singapore Method of analysis not made explicit. Expert validation. Analysis of database of SARs with explicit formula. This quantitative analysis was supplemented with a qualitative analysis Switzerland of all relevant information in an unspecified manner. Expert elicitation on nine sectors and three products. Explicit formulation of some factors considered for assessment. Lack UK of expert knowledge of money laundering through a sector as indicator of vulnerability. Explicit chains of logic to explain some scores. US Database with closed cases and 15 government agencies. No further specification on method of analysis. SAR = suspicious activity report. Note: This table was created by the authors of this report to provide a succinct overview of the methods; some less relevant details are necessarily omitted. The full descriptions can be found in the NRAs. Sources: The NRAs of the countries, mostly—but not exclusively—the methodology sections: Canada, pp. 15–17 and interview; Italy, methodology report pp. 5–7 and interview; Netherlands, pp. 17–28, appendix 4, and interview; Switzerland, pp. 13–14 and interview; UK 2015 pp. 9–11 and interview; US, pp. 6–9. Outputs The goal of the NRA is to inform governments about the distri- agencies], supervisors, and the private sector in targeting bution of risk across sectors, products, transactions, or some their resources at the areas of higher risk, ensuring that the other dimensions among which AML effort might be distributed UK’s approach … is risk-based and proportionate” (p. 4). A set so as to permit the effective implementation of the risk-based of risk rankings in some dimension thus seems reasonable approach.36 As noted previously, “In the cases of higher and to expect. lower risk determination, country-level risk assessments have very specific roles: Where countries identify higher risks, they As shown in table 5, most countries provide that risk rank- should ensure that their AML/CFT regime addresses these ing; Singapore and the United States do not. Canada, Italy, risks. Where countries identify lower risks, they may decide to and Switzerland provide “heat maps” showing the distribution allow simplified measures to be applied in relation to some of of threats and vulnerabilities across sectors, which enables the FATF Recommendations” (FATF 2013a, 6). identification of sectors by overall risk. Figure 1 is an example from the NRA of Switzerland (banking sector) to illustrate this The most explicit statement of that goal is in the UK NRA: technique: the deeper the shade, the higher the risk. the goal is to assist “the government, LEAs [law enforcement 36. One expert noted that distinguishing between conducting an NRA and publishing an NRA is useful. He suggested that the purpose of publishing, as opposed to conducting, an NRA was to inform the private sector. It may also provide some assurance to the general public that the government is competently controlling money laundering. <<< 17 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs > > > F I G U R E 1 - Money Laundering Risks for Universal Banks, Private Banking, and Retail Banks in Switzerland Threats Universal banks Private banking Retail banks Vulnerabilities Source: NRA Switzerland (2015, p. 68). The relatively high threat to “universal banks” in Switzerland is associated with low vulnerability, so it is no riskier than private banking, whose vulnerability is greater but whose threat is smaller. No sector was associated with both high threat and high vulner- ability. None of the NRAs were explicit as to what constitutes “high risk.” > > > T A B L E 5 - Outputs of the NRAs Risk rating or ranking Informed policy decision in the NRA? Yes, 198 risk ratings, one for each combination of 9 crime Yes, risk ratings per sector can be used to decide sectoral Canada categories and 22 sectors/products AML efforts; no recommendations specified Yes, a detailed overview of priority of actions for each of No risk rating or ranking; synthesized (combined) rating for Italy the 20 sectors; identified which of four specific action types all threats, but none for vulnerabilities might be appropriate No risk rating or ranking, but a list of transactions that are Japan No considered low risk Yes, risk and risk mitigation ratings for the 10 most important Netherlands No methods/channels Yes, next steps per sector and what to study further (virtual Singapore No risk rating or ranking, but a list of more vulnerable sectors currencies, precious stones and metals dealers, and freeports Switzerland Yes, risk ratings for 18 sectors Yes, with 8 specific recommendations Yes, structural risk rating and risk rating after mitigation for 9 UK Yes, but mostly on knowledge gaps sectors and 3 methods of payment No risk rating or ranking—only a list of laundering methods No, positive statements about mitigation ability without US that remain relatively difficult to catch informing the policy decision* * The conclusion of the US NRA is that the US is “generally successful in minimizing money laundering risks. Although criminals respond …, the underlying vul- nerabilities remain largely the same” (p. 86). Source: created by the authors of this report Risk rating or ranking: Canada, pp. 44–65; Italy, p. 31; Netherlands, pp. 9–11; Switzerland, p. 5; UK 2015, p. 12. Information for policy decision: Italy, pp. 31–32; Singapore, pp. 41–83; UK 2015, p. 6; US, p. 4. Cells shaded green indicate “yes” answers. <<< 18 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs 5. >>> How Strong Are the NRAs? The 11 NRAs by eight systemically important countries provide a useful picture of the state of the art for money laundering risk assessments by governments around the world. We note again the great variety of ways in which the eight went about the task. The FATF had indicated in its Guidance document that it was not prescribing the process, so this variety is hardly surprising. Indeed, the possibility of different approaches being tried is arguably a strength, given the lack of established models for risk assessment in money laundering. This section presents our conclusions from the study of the NRAs as a group before we suggest how the exercise could be improved. We begin with an important and useful negative lesson. Although all NRAs devoted considerable space to discussing predicate crimes and their importance in terms of generating proceeds of crime, the assessments played a minor or no role in the recommendations or policy analysis section of the NRA. This outcome is consistent with the analytic framework that has informed our approach, in which the nature of the predicate crime that generates money for laundering is largely irrelevant for the purposes of risk assessment. Even for enforcement agencies, the value of knowing the distribution of money laundering volumes across predicate crimes is difficult to see. Their allocation of anti-money laundering effort should be determined by the social costs of crime—a very different concept from the proceeds of crime—and the utility of AML in reducing those crimes. If AML is useful for solving homicides, that should get considerable attention, even if fraud generates more criminal revenue. The utility of AML for reducing crime is also good news because no country has strong measures of the proceeds of crime, and most countries lack any estimates at all.37 Each NRA captured some of the required elements. Even those we assessed as quite weak offered something different and useful. For example, the US NRA, which produced no sector risk rankings and a dearth of data, provided insights by identifying relevant money laundering methods. The Singapore NRA showed that little evidence of substantial laundering of domestic crime proceeds exists. None of the NRAs provided a well-founded and comprehensive risk assessment, however. The published NRAs suffer from fundamental problems, which we divide into conceptual framework, sources of data and methods of analysis, and the utility of the outputs. 37. For example, the Canadian mutual evaluation refers to Proceeds of Crime estimates of $47 billion and RCMP estimates of Money Laundering of $5 billion–$15 billion—fig- ures that are hard to reconcile. An unpublished 2013 IMF study examined Proceeds of Crime estimates for 35 jurisdictions encompassing about one-third of global GDP. The IMF sought estimates for 24 different crimes; for 10 of those 24 crimes, fewer than one-half of the countries had estimates. <<< 19 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs Conceptual Analysis We identify four major flaws in the conceptualization: to help them. If banks have a specialized regulatory 1. Concepts are lacking clear operationalization. Most NRAs authority, then the assessment should consider risk in the simply repeat the FATF Guidance definitions but then do banking sector specifically. By creating a sector category not say how, for example, threats might be measured; described as “financial institutions, particularly banks,” the they simply list a series of offenses. The Canadian NRA Dutch NRA informs no specific decision maker because comes closest to operationalizing threat by providing a the category includes a variety of sectors—such as long list of potential indicators for crime types (proceeds insurance companies—that have their own regulators.39 of crime is last).38 Vulnerability is operationalized in a Another example from the Dutch NRA is the analysis of confusing fashion. The section of the NRA that is supposed “money laundering via fiscally driven/complex corporate to discuss vulnerabilities often seems to equate them with structures.” Which decision maker can use the results risk (see the NRAs of Japan, the Netherlands, Singapore, of such analysis? Similarly, the United States, by just and Switzerland). Only the NRAs of Canada, Italy, the highlighting the methods to which the system is most Netherlands, Switzerland, and the UK reference “inherent” vulnerable, provides at best modest guidance to regulators or “structural” risk that is associated with the nature of the or even law enforcement. By not specifying which sectors sector or service. Banks are inherently attractive because are vulnerable to the different methods, the NRA left US they permit rapid transactions with many other institutions, regulatory authorities in the dark regarding whether the scattered around the world, and allow easy access to identified risks are relevant in their field. assets, which means they are likely to face a serious threat. Countries such as Singapore, Switzerland, and the UK 4. Terminological confusion exacerbates and signals the include comments on legal and institutional weaknesses in problem. Risk is used in variable ways within the same NRA, their vulnerability analysis, but for countries such as Japan so knowing what is being measured is simply impossible. and the US, such comments are absent. For example, the NRA of the Netherlands starts with stating that risks are a function of threats, vulnerabilities, and 2. Many risk assessments operationalize threats and consequences, just as in the FATF methodology, but later, vulnerabilities at different levels. Threats are national the top 10 threats are called “risks” without consideration aggregates, and vulnerabilities are sectoral. For example, of the vulnerability and consequence level of those threats. Italy provides an innovative analysis of the threat posed The Swiss NRA contains a table (on p. 45) in which “threat” by the use of cash and by the presence of organized is on both the horizontal and vertical axes under different crime (including by region) but then conducts an analysis rubrics, rendering the cell entries meaningless.40 There is of vulnerabilities for a very fine-grained set of 18 sectors. little understanding of the ambiguity of some indicators. For Canada appears as the sole exception; its NRA ties threat example, some NRAs (such as, the Japan NRA) interpret and product or sector together—that is, it assesses the the characteristics of closed cases as providing evidence risk that each kind of financial institution or DNFBP has for of patterns of money laundering, whereas others (such as each of 21 crimes. The basis upon which Canada makes the UK NRA) interpret them as indicative of the pattern of its assessments, however, is mysterious, and the results enforcement. In fact, closed cases reflect both patterns of show an inexplicable constancy of threat severity across money laundering and what enforcement agencies choose sectors, indicating that the ranking of threats from different to investigate; it is a major analytic undertaking to separate crimes is the same for all sectors; that circumstance is the two effects.41 Closed cases provide useful information, implausible and needs explanation. such as the kinds of money laundering associated with a particular kind of offense. For a risk-based approach, the 3. Risk assessments are designed to inform decisions, underlying patterns of risk must be identified; closed cases as the FATF Guidance notes. An early task, then, is to do not provide the basis for that information. identify the decision makers and frame the analysis 38. The Canadian NRA cites “the extent of the threat actors’ knowledge, skills, and expertise to conduct money laundering; the extent of the threat actors’ network, resources, and overall capability to conduct money laundering; the scope and complexity of the ML activity; and the magnitude of the proceeds of crime being generated annually from the criminal activity” (p. 16). 39. No attempt was made to determine whether the threats and vulnerabilities are similar for each of the categories in this sector category. 40. The Swiss NRA states that “the threats associated with bribery and participation in a criminal organisation expose the Swiss financial sector to greater vulnerability because of the larger sums of money involved and more significant potential consequences in terms of reputation both institutionally and systemically.” 41. Many researchers have devoted considerable effort to just this endeavor for crime generally; see, for example, Black (1970), Tonry (2016), and van Dijk and Tseloni (2012). <<< 20 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs Data Sources described as high risk and others as low or moderate risk. No evidence indicates standardization of those labels across countries, so Canada’s alarming 16 out of 27 sectors or Most NRAs relied on just one or two data sources. At an products being labeled high risk—suggesting a system that extreme, the Dutch NRA made use only of expert opinion; it is highly exposed42—cannot be compared with the UK finding presented no data of any other kind. Switzerland’s NRA relied that only 3 out of 12 should be labeled high risk. Terms such almost entirely on SARs, with expert opinion used only to test as high risk and low risk are not as helpful as they could be the plausibility of the findings from the SAR analysis. Japan unless countries agree on their definitions. showed a wide array of data on every aspect of enforcement, with minimal reference to expert opinion. Italy made use of That fact also raises a question of interpretation. The Swiss the greatest variety of data sources, although expert opinion NRA correctly notes that money laundering risk cannot be ultimately determined the assessments with the other data eliminated; however, a fair question is whether a system in sources as inputs for the discussion. which six separate classes of institutions are classified as high risk is consistent with the claim that “Switzerland has a The quality of the data sources was never systematically full, coordinated and effective range of legal and institutional assessed but taken at face value; indeed, it was rarely resources for combating money laundering and terrorist described. No effort was made to triangulate so as to test financing” (Swiss NRA, p. 4). Perhaps the US claim to a the plausibility of conclusions from one source with data “robust” system is simply a different national tolerance for from another source. For example, if retail banks are the money laundering risk. principal source of SARs and hence seem to be the channel for most money laundering, does expert opinion support that assertion? Does scientific (data) research find a similar pattern Analysis of money laundering? Is that finding in line with the insights from intelligence reports of investigative authorities? If those findings differ, what could explain the differences? Discussing the analytic methods for most of the NRAs is hard because they were not described. Some NRAs did nothing more than present numbers; that statement seems Outputs to be true of the NRAs for Japan, Singapore, and the United States. For example, Japan presented numerous tables describing criminal justice processing of various kinds of As shown in table 4, the outputs of the NRA reveal great cases; the relationship of those data to money laundering variation. Some countries (such as the Netherlands and the risks was never explained. The UK stated that it used a model UK) provided detailed rankings of the risk associated with developed by law enforcement agencies that cannot be found sectors and products. Uniquely, Italy went even further and in open-source form, so no one can assess its credibility for identified which of four different methods could be used to the purpose. The Dutch explained their method in detail, but improve the effectiveness of AML in a specific sector. At the that method has internal inconsistencies43 that make it of little other extreme, the US provided no relative risk measures, value for risk assessment. even of the vaguest kind, but only the reassurance that the system was robust—hardly consistent with the evidence from Finally, as already noted, the description of methodologies its own investigations or the results of numerous investigations, mostly varies from nonexistent (Singapore) to very thin such as those of Global Witness (2016) and Sharman (2010). (the US) except in the Netherlands and Switzerland NRAs. The FATF Methodology provides no guidance on this issue, a Progress both for successive NRAs in a given country and matter we take up later. for the field as a whole is dependent on better documentation of methods and procedures. Our interviews with participants Some countries went beyond relative risk statements and in second-round NRA efforts gave the strong impression that provided risk classifications—that is, some sectors were documentation was inadequate even within the agency files.44 42. The Canadian finding is perhaps less alarming if one remembers that this categorization is based on “inherent risk” rather than “mitigated risk”; the latter was never published. 43. To give an example, experts were told, “What we ask is that you select the ten threats that you believe represent the greatest potential impact.” That is a complex question that should have been split into at least two components: the probability of a laundered dollar going through a specific channel or method and then the impact. The latter, after all, was then assessed through the multi-criteria analysis (MCA) that followed. In effect, the experts were asked to do the MCA implicitly and then, having done so, to apply it explicitly to the “risks” that already had it built in. At various points (for example, p. 48), it is difficult to tell whether experts were being asked just about the frequency with which a channel or method was used or the amount of money that was flowing through that channel or method. 44. For example, when specific methodological questions were posed to the Canadian team responsible for the second NRA, they admitted that they did not know exactly how the first NRA was conducted because they had not been involved in the first NRA, and the colleagues who had been involved had left the department. <<< 21 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs The experience of reviewing 11 published National Risk nations have been asked to undertake a task that has never Assessments from leading nations is troubling. They lack been done well before. Conducting an NRA may also be conceptual clarity, the data are highly limited, most are seen as just a box-checking exercise to meet international analytically weak or fail to explain the methodology, and the standards, leading to a lack of motivation to do anything more whole goal of the NRA—to inform policy decisions—is often than the internationally accepted bare minimum. The narrow missed or at least not made explicit in the published version. and relatively closed world of AML—and thus the lack of Several reasons may help explain why these NRAs do not general risk assessment experts—may be another reason. seem to meet their stated objective. The most fundamental Appendix D speculates in more detail on why the current explanation is simply that the NRAs are not strong because NRAs are not stronger. <<< 22 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs 6. >>> Path Forward We offer here a set of suggestions about a tighter and more explicit conceptual framework and the kinds of data and analytic methods that offer prospects of improving the quality of NRAs. These recommendations are not detailed but arise from our study of the limitations of the eight NRAs and are intended primarily to stimulate discussion. The concluding section of this report presents three specific recommendations. Risk Assessment Lessons from Other Fields As we argue here and in a preceding article (Ferwerda and Reuter 2019), the FATF Guidance for risk assessment (2013a), in particular its conceptual inconsistencies, has created problems. As a result, countries have adopted a variety of conceptual frameworks, at times inconsistently. The different focus that countries apply leads to risk assessments that do not provide the needed understanding of risks. A central formula used in the more general literature on conducting a risk assessment (see, for example, Rausand 2013) is Risk = Probability of Hazard x Consequences. Consequences are measured in money units (for example, dollars), and Probability is a percentage, so the Risk is measured in dollars. This means that risk is not a percentage but a dollar value, which might feel inconsistent with the more common language usage of the term risk. We suggest that threat and vulnerability together define the probability of the Hazard for money laundering (as is suggested for terrorism risk assessment as well; Willis et al. 2005). Money laundering is not a one-time event or one that happens only occasionally, such as a flood, a nuclear power accident, a terrorist attack, or a virus outbreak. Because money laundering occurs more or less frequently, we should not focus on the probability but on the frequency of its occurrence. A year would be an intuitive time period for money laundering calculations (in line with Rausand 2013, 40). Applying the more general literature on risk assessments to money laundering, the risk is the frequency that money laundering events occur multiplied by the consequences for the society as a whole each time money laundering occurs. Although the FATF Guidance (2013a) refers to a list of 25 possible adverse consequences of money laundering mentioned in the literature, empirical support for those consequences is missing (Ferwerda 2013). None of those consequences have been reliably estimated—indeed, <<< 23 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs almost none have been examined empirically at all; thus, one can at least be clear about what is to be analyzed and the analysis needs to be simplified. The FATF quite sensibly what could be relevant risk factors: factors that increase the suggests that NRAs may ignore consequences, but what amount of money laundering. These factors could be related to would then happen to the conceptual framework? It would threat—more predicate crimes or factors that make predicate mean that the formula Risk = Frequency x Consequences crimes more profitable—or they could be factors related to would be simplified to Risk = Frequency (in line with Savona vulnerability—legal loopholes, unsupervised sectors, weak and Riccardi 2017, 27–31). Leaving out the consequences borders, and so forth. Our suggested framework therefore changes the unit of measurement of risk. Risk is typically a does not contradict the concepts put forward by the FATF dollar value (basically, the expected value of the consequences (2013a) but tries to use them in such a way that the goal and measured in dollars); if we ignore consequences, then risk operationalization are focused and can contribute to the stated would be measured as a number without dimensions. goal of a risk assessment: to inform relevant policy decisions. Such estimates can be used for what we can call the bare For the conceptual framework to work and to have the right minimum: decisions about the distribution of risks across unit of measurement, the consequences of money laundering sectors, but such risk estimates can also be aggregated across cannot be ignored. We therefore suggest the following other dimensions to make decisions about, for example, risks simplification: assume that consequences scale with the across different predicate crimes, different financial products, amount of money laundered in a transaction. If more dollars and different regions. are laundered, we expect that the consequences are greater. Measuring risk with a direct dollar value (a money laundering The Problem of Endogeneity estimation) and no probability might seem strange and unconventional; however, this convention is also used in other fields in which risk assessments are more established. For The FATF approach assumes money laundering threat and example in preparing a guideline for engineers, Hara (2002 vulnerability of any one sector as independently determined page 1) states, “The most appropriate definition of risk is the because the approach suggests that high-risk sectors (classes expectation of loss because it is necessary to be a dimensional of institutions or products) should be subject to greater value for comparison. Two components of risk are severity scrutiny and low-risk sectors to less. That assumption creates and probability of occurrence. Severity is the amount of loss a potentially important problem because sector risks are likely measured in units of value. The probability, which should be to be linked. Further, FATF Guidance on risk assessment has defined as the degree of belief, has no dimension. Accordingly been understood as a static relationship between threats and risk has also a dimension of value and should be measured in vulnerabilities, whereas a dynamic approach (over time) is units of value.” essential. We suggest a conceptual framework in which Risk = Drawing an analogy to a risk assessment for flooding shows Frequency of money laundering events x Amount of dollars the problem of that assumption. Under some conditions, threat laundered per event. Risk then is simply the total amount of and vulnerability are indeed independent of each other. New money laundered in each specific sector or product being Orleans faces a high probability of flooding, which requires the assessed. This calculation can be done at any level of city to invest heavily in, for example, levees to mitigate that disaggregation. The level of disaggregation should be chosen inherent risk. Washington, DC, faces a very slight probability on the basis of the policy decision that is to be informed. For of flooding, so it invests little in flood mitigation; thus, example, the FATF seems to suggest that knowing the risk Washington, DC, is more vulnerable to a flood, contingent level in each sector determines in which sectors to intensify on such an event occurring. That is still an optimal allocation. AML efforts; hence, one should estimate the amount of money Greater vulnerability does not lead to more floods, and laundered per sector. A bank should aim to estimate how the New Orleans decision does not affect the Washington, much is laundered through its different services and products DC, threat. to determine which to scrutinize more intensely. Supervisors should aim to estimate the amount of money laundering per For money laundering, however, the threat is not exogenous institution they supervise to know which institutions to monitor per se (that is, determined independently of vulnerability), more closely (that is, risk-based supervision). as it is in the previous floods examples, nor are sectors independent of each other in that respect. Money laundering Estimating the amount of money laundering is difficult to do threats to an individual sector are influenced by vulnerabilities in practice, but by defining money laundering risk this way, of that sector relative to that of others. With a lag, money <<< 24 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs launderers can shift their business away from a given sector if flowing in for laundering but ignores money flowing out of the other sectors become increasingly vulnerable, ceteris paribus. country for laundering elsewhere. An understanding of the A sector with weak AML controls may face little threat if other, different types of money laundering flows is important to adapt more vulnerable sectors exist in the same country. Increasing enforcement strategies. the stringency of controls on one sector may raise the threat in other sectors. Foreseeing which sectors will have higher The goal of national risk assessment is to assess relative threat and how much higher are both major challenges for risks within the country, not differences in risk across dynamic risk management. The value of the NRA exercise countries. Discussions with AML officials indicate that the would be significantly increased if those dynamics were better FATF did not want to facilitate cross-national comparisons— recognized and became part of risk management. the creation of a league table. Unsurprisingly, the demand for cross-national comparisons has generated its own The relevant floods analogy is New Orleans and its neighbors. supply. Since 2014, the Basel Institute on Governance has The threat of flooding to New Orleans may increase if published an annual AML index, which gives an absolute neighboring communities strengthen their levies and the score and a rank on the effectiveness of AML efforts for each flooding is displaced downstream. If the measure of damage of 146 countries.46 Although the index seems to have only is community specific, then the stronger levees in Jefferson, moderate use for scholarly purposes, one reviewer observed Louisiana, reduce flooding damage for that city. If the measure that “Representatives of some Wolfsberg Group members includes all the communities that are affected by the stronger confirmed that they were using it.” levees, the result may be negative, as the New Orleans problem is worsened. The same holds for increasing sector-specific money Audiences for the Published laundering controls; if banks are made less risky, then National Risk Assessments more money may be laundered through currency exchange operations. Willis et al. (2005, 52) and the National Research Council (2010, 66) signal similar endogeneity issues when Because risk assessments are produced to inform decisions, the risk concepts of threat and vulnerability are applied to the first task is to identify the decisions and decision makers terrorism risk assessments. Cox (2008, 1752–3) shows with involved. The FATF correctly identifies two distinct policy some simple examples how significant the bias can be when audiences for NRAs—regulators and investigative agencies correlations between risk factors are ignored. (FATF 2013a, 8)—each with its own responsibilities. By adopting the FATF framework of threat and vulnerability, one One fundamental challenge from this approach is that FATF can see that the two audiences have distinct responsibilities. risk assessments are focused on criminals laundering their proceeds locally. The approach to risk assessment in countries (1) Regulatory authorities aim to reduce vulnerability by that mainly deal with foreign illegal investments or dirty money improving prevention, detection, and sanctioning within the just flowing through must be different (Ferwerda et al. 2020). financial system. What they cannot do is directly affect the The FATF Guidance is not clear about whether to assess volume and revenues of predicate crimes; that goal can only be imported and exported money laundering risks.45 Switzerland accomplished through feedbacks that are weak and uncertain, may find its money laundering threat increases if Luxembourg from increased difficulty of money laundering to incentives reduces the overall vulnerability of its AML system. For NRAs— for committing crime. Regulators do not articulate priorities which, despite the name, assess just relative risks at sector for the kinds of predicate crimes they are most interested level, not the risk of the country as a whole—that threat may in detecting, and in this sense, every laundered euro is the be only a peripheral consideration. At present, NRAs consider same to them. The same would apply to a third audience of a only money laundering that occurs within the country; thus, published NRA: the private sector with anti-money laundering it includes the threat from other countries in terms of money duties. Suspected money laundering transactions need to be 45. Countries should care about the money laundering risks they export, but if those risks do not materialize in the country, they might not have to be included in a national risk assessment. 46. “The Basel AML Index measures the risk of money laundering and terrorist financing of countries based on publicly available sources. A total of 14 indicators that deal with AML/CFT regulations, corruption, financial standards, political disclosure, and rule of law are aggregated into one overall risk score. By combining these various data sources, the overall risk score represents a holistic assessment addressing structural as well as functional elements in the AML/CFT framework. As there are no quanti- tative data available, the Basel AML Index does not measure the actual existence of money laundering activity or amount of illicit financial money within a country but is designed to indicate the risk level, i.e. the vulnerabilities of money laundering and terrorist financing within a country” (https://index.baselgovernance.org). The NRA is not yet part of the index, perhaps because it is available for a relatively small number of countries. <<< 25 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs reported irrespective of the possible predicate crimes that that they do not involve large-scale novel data collection generated the money. or untested methods, yet they represent a different and demanding approach to the risk assessment exercise. Our (2) By contrast, investigative agencies such as the police proposals also emphasize transparency about data collection or tax inspectors aim to reduce the threat. Their goal is to and methodology even if not about the data themselves; reduce predicate crimes; AML is one of the tools they use for AML risk assessment will improve only with more sharing of that purpose. By lowering predicate crime, they reduce the how the NRAs are done and discussion of the strengths and proceeds of crime that generate money for laundering. They weaknesses of the different approaches. lack the tools to reduce the vulnerability of specific sectors of the financial system.47 Investigative authorities have a priority TRANSACTIONS, not suspicious transactions, must be a list of which proceeds of crime they would prefer most to starting point for creating risk profiles. The focus on analyzing reduce due to differences in the severity of the harms that patterns in suspicious activity reports or suspicious transaction specific crimes inflict on society or for other reasons. For reports—reflected in the Japanese, Singaporean, and Swiss those authorities, some contaminated dollars are more equal NRAs—starts at the wrong point. The issue is not what than others; they might make refined judgments even within common characteristics of SARs are but how SARs differ from sectors, for example, that the dollar from a major fraudster other transactions. For example, if 50 percent of Canadian is more valuable to detect and prevent than the dollar from a SARs come from the US, that does not of itself make the US a small-scale fraudster. high-risk country; if 75 percent of all transactions are from the US, then the 50 percent of SARs indicates that this is a low- One operationally significant implication of identifying the two risk country. A sample of transactions for a regulated sector perspectives, regulatory and investigative, bears on expert could be created and the characteristics of SARs compared opinion, the most important data source for NRAs. Experts with the characteristics of the total population of transactions. from those two groups have to be separated when asked these kinds of questions about sectoral risk. Regulators and MYSTERY SHOPPING. In a landmark 2011 study, the World enforcement agents will naturally have a different focus and Bank undertook a set of “mystery shopping” exercises (van therefore interpret concepts (such as threat and risk) differently. der Does de Willebois et al. 2011). A sample of Trust Service When asked which sector is most risky, representatives of Providers (TSPs) in a number of countries were approached by an investigative agency focused on drugs might say “banks” e-mail to set up a shell corporation. The pattern of responses because they see drug criminals depositing cash at banks. in terms of willingness to breach basic AML protections, such Regulatory experts, such as FIU employees, might say as requiring proof of beneficial ownership and authentic “lawyers” because they see that lawyers do not report as identification documents, was very revealing. TSPs in the frequently as other groups with reporting responsibilities. US and the UK were much more willing to violate the rules The most important distinction is thus on the denominator than were TSPs in notorious secrecy jurisdictions such as the that colors the view of the expert. Enforcement agents see British Virgin Islands and the Bahamas. This approach has all the crimes (as this is their job, after all) and how they are been used in other studies of other intermediaries (see, for dispersed, whereas regulators see all operations within the example, Findley, Nielson, and Sharman 2013 and 2021) and sector they oversee, with instances of bad behavior among less formally by AML consultants—for example, by attempting those operations. Those differences in experts framing must to make suspicious-looking deposits at banks and finding out be considered in expert opinion elicitation exercises. whether it leads to the filing of an SAR. 48 Those efforts suggest a plausible method for testing the Data Sources credibility of claims to have an effective AML system for a particular sector or product. The method’s breadth and depth should not be overstated, but as the methodology is developed Credible NRAs will require the use of multiple sources of data. through further testing, it may help estimate the probability of Our suggestions here are intended to be practical in the sense detection of money laundering at various points in the system. 47. In principle, a focus on specific financial sectors by investigative agencies might increase the perceived risk associated with the laundering of that sector. For example, if fraud investigative units put more emphasis on using SARs from international transfers to target potential offenders, that scrutiny might make such transfers less attractive to fraudsters. We assess this outcome as a second-order effect compared with direct regulation of that class of transactions. 48. This method was described by John Chevis at the following two conferences: 36th Cambridge International Symposium on Economic Crime, Plenary Workshop 10: AML National Risk Assessments—The Way Forward, Cambridge, UK, September 2–9, 2018; and 4th International Conference on Governance, Crime and Justice Statistics, organized by UNODC for the Sustainable Development Goals, Lima, Peru, June 4–6, 2018. <<< 26 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs ELICITING EXPERT OPINION. Expert opinion will their opinion is being sought. “Differences in response may undoubtedly remain an important source of data, even if new result from different paradigms by which the experts view the data sources are developed; however, a specific method is world and the data. This often is true when the experts come available for obtaining relevant, comprehensive, and unbiased from different disciplinary backgrounds” (EPA 2012 page 89). data under the general rubric of “eliciting expert opinion.” This For example, how knowledgeable is a customs official when method involves painstaking preparation of the instruments for asked about the money laundering risks for casinos? asking questions, techniques for establishing the competence of experts, methods for reconciling results, and learning from To establish consistency, researchers might offer experts differences in opinions (Morgan 2014). This report is not the a series of pairwise comparisons; consider the following place to describe those techniques in detail, but we offer a example. A money launderer tries to launder US$20,000 broad rationale for their development and one example of the through a bank and US$20,000 through a casino. Where do kind of exercise that is used to validate experts’ competence. you think it is more likely the money laundering is detected, at the bank or the casino? Then compare a bank and a real Tversky and Kahneman (1974) describe and model human estate transaction, then a real estate and a casino transaction. heuristics and biases in estimating probabilities. Many studies Failure to pass a transitive consistency test throws doubt on after that seminal publication have shown (similar) biases but the individual expert.49 also provide lessons on how to improve the results of expert elicitation across disciplines such as psychology, decision MONEY LAUNDERING CASES. Some NRAs include and management science, computing, forecasting, and vignettes of specific detected money laundering transactions. statistics (Kynn 2008). To give some examples, Bolger and To our knowledge, no country has created a database of Wright (1994) emphasize the importance of having experts proven money laundering transactions to determine what questioned within their expertise and experience in a familiar can be learned about threats and vulnerabilities.50 A useful metric, that they must understand the tasks being asked of model can be found in the work of Edward Kleemans in the them, and that they must be expert. Finding the right expert Netherlands, who has created databases on organized crime is critical. Shanteau (1992) expands on this issue, describing cases that have proven valuable in providing insights about the different thinking and problem-solving patterns in experts, careers in organized crime, contrasting them with careers which novices (even graduate students with several years of in property and violent crime (Kleemans and de Poot 2008; experience) may not have yet acquired (Kynn 2008, 259). Kleemans and van Koppen 2020). By examining a body of cases in the specific country, one can learn, for example, what Learning from the diversity of opinion among experts is kinds of institutions and products have been used by money important, as is the expert’s confidence in his or her judgment, launderers or whether specific locations are more vulnerable. when consulting experts for their opinion (Morgan 2014). The World Bank has just begun an effort to encourage None of the eight countries explicitly referred to how confident countries who use its NRA tool to build such a database.51 experts were except the Netherlands in a follow-up NRA Creation of such databases is a long-term effort that should exercise that was done for the overseas part of the kingdom be started now but will yield useful insights only after a (van der Veen and Heuts 2018). The lack of attention to few years.52 uncertainty is “a chronic disease of planners” (Quade 1975). It is especially important when experts from very different Surely still other data sources can be tapped, such as government organizations and private entities are brought investigative reports by media. Our message is less that any together to determine risk ratings for a large variety of crimes specific set of sources will be sufficient than that multiple and sectors because each of them is expert on only some sources will be needed and attention has to be given to their of the sectors and modes of money laundering about which systematic integration. 49. The World Bank NRA workshops also have an elevator pitch exercise, in which the experts are invited to market their country as a good destination for money laundering and guide a criminal about the best methods and sectors to launder his or her money without being detected. This exercise practically asks the experts to put themselves into criminals’ shoes. This exercise has proven very useful and many times yielded more meaningful and realistic conclusions than filling the Excel templates of the World Bank tool. 50. The US 2015 NRA refers to such a database, but in the published NRA, this database is never analyzed or used for any purpose other than providing vignettes. 51. The database methodology can be found at Proceeds of Crimes Data Collection Tool: http://pubdocs.worldbank.org/en/422681580318460585/POC-Update-04.pdf. 52. A commercial site, amlpenalties.com, offers a database on cases that led to penalties. We cannot assess its provenance, accuracy, or comprehensiveness. <<< 27 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs Analytic Methods The data do not speak for themselves. Explicit multiple meth- pered by an unreliable identification infrastructure in a country. odologies are needed to relate the data to the estimated risks; The World Bank Tool for National Risk Assessments for mon- no single methodology will allow synthesis of the very varied ey laundering and terrorist financing already includes such a data that should be used. critical path analysis.53 An intuitive start for a vulnerability assessment is to assess One reviewer suggested that developing a cadre of profes- the strength of the policy framework with critical path analysis. sionals to do risk assessments for many countries might im- The chain is only as strong as the weakest link. An example prove the NRAs, in particular with respect to analytic methods. of consequential steps in the field of anti-money laundering Such a cadre would ensure that the reports reflected a good policy is from investigation via prosecution to conviction. The knowledge of the risk assessment field and consistency in the investigation and prosecution may be successful but are use- results across countries. They would learn over time from con- less when the convictions are hampered by incompetent or ducting the exercise in many different contexts. This method corrupt judges. Analyzing where the bottleneck is in such has some serious disadvantages, though–in particular, loss systems is a good start for a vulnerability assessment. Other of buy-in by the domestic agencies involved in AML and of examples of such chains in the field of AML policy are (a) de- specific local expertise. Nonetheless, if the NRAs are to con- tection of money laundering by banks, which can be rendered tinue to be an important part of the mutual evaluation report useless if the FIU is unable to do its part in processing STRs; process, fundamental revisions in the process are worth con- or (b) monitoring of customers by banks, which may be ham- sidering, and this is one such proposal. 53. See Risk Assessment Support for Money Laundering/Terrorist Financing,” World Bank brief, 2016 https://www.worldbank.org/en/topic/financialsector/brief/antimoney-laun- dering-and-combating-the-financing-of-terrorism-risk-assessment-support. <<< 28 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs 7. >>> Concluding Comments and Recommendations Before drawing conclusions about the strength of the NRAs, we should note that whatever the weaknesses of the NRAs as risk assessments, the process of conducting the assessment is valuable in itself. AML is a very widely distributed responsibility. Conducting a National Risk Assessment requires bringing together all those agencies for the purpose of sharing data and insights. Each of the authors has witnessed just such a phenomenon when participating in the development of an NRA. That sharing is likely to increase the effectiveness of the AML system. Harnessing that energy to produce stronger NRAs is a very worthwhile goal. As articulated by the FATF, a meaningful risk-based approach requires a good understanding of how risks are distributed, yet the first NRAs showing their understanding of money laundering risks appeared at least 12 years after the FATF included it as an option in its recommendations and at least 3 years after it was made mandatory. Perhaps that lapse reflects the difficulty of doing an NRA well. No existing model provides real guidance; the FATF Guidance document (2013a), as already noted, claimed only to provide general guidelines. The common methodology of the mutual evaluation reviews, the typology exercises, and the peer review was designed to facilitate comparative lesson drawing and diagnostic testing, with regular updates to the standards over time. The possibility of different NRA approaches being tried is arguably a strength, given the lack of established models for risk assessment in money laundering; however, the lack of both a common understanding of the conceptual framework and a clearly formulated focus for the NRA makes the conducted NRAs so different from one another that learning from each other becomes challenging or even impossible.54 The National Risk Assessment exercise is in its early stages. There is no shame in stumbling at the starting gate; that has happened in other spheres of risk assessment as well.55 A variety of approaches is healthy for an institutional setting that does not have a strong history of empirical analysis. To move this field forward, we recommend the following three steps. 54. One possible and troubling explanation for the limited development of the risk-based approach is that it has implausible premises for money laundering control. It requires an alignment between the incentives of the bank and those of the regulator (Ferwerda 2017). With prudential regulation, such an alignment can be assumed. A bank wants to reduce the extent of fraud and to do so efficiently; so does the regulator. That same bank is not harmed by the laundering of money, however. Money laundering may result in economic and social harms, but none of the harms identified in the long list provided by Ferwerda (2013) are borne by the bank. Au contraire, as revealed in such scandals as the 2018 Danske Bank (https://sevenpillarsinstitute.org/the-case-of-danske-bank-and-money-laundering/) and the 2012 HSBC scandals (see, for example, Naheem 2015), the bank may see laundering as a profitable business line. The costs it faces are imposed directly or indirectly (through the loss of reputation) if its complicity in money laundering is discovered. From the bank’s point of view, the risk to which it is being exposed is not money laundering but the risk of being detected laundering criminal proceeds. 55. For instance, see Masse, O’Neil, and Rollins (2007) for an overview of the development of risk assessment methodologies by the US Department of Homeland Security for terrorism risks. Crevel et al. (2014) show how risk assessments evolved for food allergens. Dourson, Felter, and Robinson (1996) show the progress made in toxicological noncancer risk assessments. Omenn (2003) analyzes the evolution of risk assessments for chemicals in the environment. See Ball (2007) for a general reflection on how risk assessments have evolved over time and the relevant controversies. <<< 29 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs 1. The concepts and focus of NRAs should be made clearer and universally applicable to maximize the possibility of countries learning from each other. 2. Trying a new and different NRA approach should be welcomed, and possible failures of such methods should be accepted beforehand. A lack of transparency about research methods and data used, however, is not acceptable if countries are to eventually want to learn what works and what does not. 3. If the aim is to advance the field of money laundering NRAs, the executing national institutions need help to develop sufficient expertise. Setting up an international research center focused on money laundering risk assessment is needed to advance understanding of how to conduct such an assessment well. Fortunately, those recommendations are relatively low-hanging fruit that can readily be implemented. <<< 30 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs A. >>> Appendix A. NRAs Published by OECD Countries > > > T A B L E A . 1 - Overview of NRAs of OECD Countries OECD country Australia Austria Belgium Canada Chile Czech Republic Denmark Estonia Finland France Germany Greece Hungary Iceland Ireland Israel Italy Japan Year NRA 2014 TF focused 2015 2018 2016 2016 2015 2014 2015 2016 2018 2015 2017 2016 2017 2014 2015 Comment No public NRA found No public NRA found OECD country Lithuania Luxembourg Mexico Netherlands New Zealand New Zealand – 2 Norway Poland Portugal Slovakia Slovenia South Korea Spain Sweden Switzerland Turkey UK UK – 2 * Year NRA 2015 2016 2017 2010 2018 2014 2013 2016 Comment No public NRA found No public NRA found No public NRA found No public NRA found 2014 Fragmented, not one NRA 2013 2015 2015 2017 No public NRA found Japan – 2 2017 United States 2015 Latvia 2017 United States – 2 2018 NRA = National Risk Assessment . OECD = Organisation for Economic Co-operation and Development. TF = terrorism financing. UK = United Kingdom. US = United States. * Appendix A. NRAs Published by OECD Countries <<< 31 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs > > > F I G U R E A . 1 - Number of NRAs Published by the 38 OECD Countries over Time 10 9 8 7 6 5 4 3 2 1 0 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 OECD = Organisation for Economic Co-operation and Development. Source: Based on the data above Table A.1. The risk-based approach was introduced in 2003. In 2012, the FATF made explicit that countries should perform a National Risk Assessment. <<< 32 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs B. >>> Appendix B. The FATF Approach to Risk Assessment The FATF did not give its members an exact prescription for how a risk assessment ought to be conducted, reflecting the novelty of the exercise. The FATF published a guidance document in which only the goal and some concepts are explained. We focus our attention here on the concepts.56 According to the FATF, money laundering risk for a sector is a function of threat, vulnerability, and consequences. With this, the FATF applies the terminology commonly used in risk assessments of terrorism (see, for example, National Research Council 2010; Willis 2007; Willis et al. 2005) to money laundering. Although those labels have intuitive appeal as a means of structuring the NRA exercise, they are in fact confusing when applied to money laundering (see also Ferwerda and Reuter 2019). a. A threat is a person or group of people, object or activity with the potential to cause harm to, for example, the state, society, the economy, etc. In the ML/TF context this includes crimi- nals, terrorist groups and their facilitators, their funds, as well as past, present and future ML or TF activities. (FATF 2013a, 7) In the more standard risk assessment terminology, threat is the hazard to which the entity is being exposed. The above definition of threat is so heterogeneous as to defy coherent description, let alone measurement. Putting together people, money, and activities to form one variable to work with is impossible. What might be meant by “object” that constitutes a threat? Annex 1 of the Guidance provides a list of more than 150 threat factors (FATF 2013a, pp. 32–39). Most are simply predicate crimes, and the implication is that threat should be measured by revenues, but it also includes such items as “sources, location, and concentration of criminal activity, including within illegal underground areas in the economy.” If one could combine such different threat factors, what is the unit of mea- surement of such a variable? A simple and intuitive version of the level of money laundering threat faced by a nation is the amount of money that seeks laundering, perhaps proxied by the estimated proceeds of predicate crimes in the country. In a standard economic frame, that variable would be described as the demand for money laundering services. Dawe (2013) argues for such an approach; the FATF methodology does not invite that operationalization and offers no alternatives. b. The concept of vulnerabilities as used in risk assessment comprises those things that can be exploited by the threat or that may support or facilitate its activities…. In the ML/TF risk 56. More recent guidance has been offered for the CTF component of the NRA exercise; see FATF, 2019, Terrorist Financing Risk Assessment Guidance, at https://www.fatf-gafi.org/publications/methodsandtrends/documents/terrorist-financing-risk-assessment-guidance.html. <<< 33 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs assessment context, looking at vulnerabilities as distinct money laundering helps dealers to freely spend the proceeds from threat means focusing on, for example, the factors from selling drugs, but technically, selling drugs is not part of the that represent weaknesses in AML/CFT (as elsewhere) money laundering process. The FATF Guidance (p. 7) states systems or controls or certain features of a country. They that the underlying criminal activity is part of the consequence may also include the features of a particular sector, a fi- of money laundering, which means that it matters for a risk as- nancial product or type of service that makes them attrac- sessment whether a laundered dollar initially came from selling tive for ML or TF purposes. drugs, fraud, or corruption because different predicate crimes have different effects for society (see, for example, Cohen 2004 Again, how can one combine a legal loophole and the features and McCollister, French, and Fang 2010). of a financial product? Perhaps the FATF just aimed to iden- tify which factors to take into account when assessing money Risk-based regulations promise many advantages over rule- laundering risk without suggesting a natural way of measuring based regulations: less obedience merely for the sake of com- it. That intention is reasonable as far as it goes, but the failure pliance, less formalism, less administrative burden—in short, to be more explicit might explain why so many money launder- less (unnecessary) bureaucracy. The risk-based approach ing risk assessments are struggling with their conceptual fo- aims to achieve this goal by simplifying and focusing on critical cus and thus fail to inform relevant policies. Creating an index points—on those parts in a system or process where things that combines those elements is a major analytic task. could go wrong, where the risks are greatest. Moreover, risk- based regulation offers to respect those involved by making The Methodology document provides an extraordinarily use of their experience and knowledge. Companies and other lengthy list of examples of vulnerability, occupying seven private-sector actors, the subjects of the law, are treated as pages with about 15 items described on each page. The risk resourceful actors rather than ignorant children who have to factors are in six broad categories, most of which are national be taught a lesson. (for example, political stability, demographics) and only a few of which are specific to a particular component of the finan- The risk-based approach assumes that compliance could be cial sector (for example, types and ranges of customers and achieved by intrinsic rule internalization rather than requiring nature of business relationships). That is not how “vulnerabili- extrinsic threats; thus, it promises to enhance not only the effec- ties” were generally interpreted by the individual countries. In tiveness and efficiency of regulations but also their legitimacy. their analyses, vulnerability refers to characteristics of a sector Who would not like freedom, less bureaucracy, more legitimacy, that make it attractive (for example, the speed of bank trans- and more policy effectiveness? (Unger and van Waarden 2013) actions) or weaknesses in the prevention of, detection of, and enforcement against money laundering events, which get dis- A risk-based approach has costs as well as benefits, however. tinctly second billing in the FATF Methodology. Crucial for a good risk-based approach is adequate informa- tion about the risks, which is gathered and analyzed; resources c. Consequences are the adverse effects of money launder- have to be spent to determine those risks. There is a trade-off ing. The guidance, as noted, states that measuring con- between assessment and execution of the risk-based policy: sequences of money laundering can be challenging and resources spent on determining the risk (and which risk lev- that therefore a focus on only threats and vulnerabilities is els to tolerate) cannot be spent elsewhere (Black 2010). For acceptable. (FATF 2013a, 8) many kinds of prudential risk, the task is relatively straightfor- ward; for example, corporate bankruptcy is a well-measured Our analysis of the NRAs of eight developed countries shows and much-studied phenomenon (see, for example, Hillegeist that no country made an explicit effort to assess consequences et al. 2004 for an overview of how the estimation models have except the Netherlands, where experts were asked about the developed since 1966). Models of varying degrees of sophisti- potential impact of 10 specific “risks.” A focus on only threat cation have been developed for assessing the risk that a cor- and vulnerability means that the harms inflicted per dollar porate client of a bank will go bankrupt. laundered are implicitly assumed to be the same for all types of money laundering, all predicate offenses, and all sectors. The problem is much more daunting in the field of money laun- dering. It is universally agreed that most money laundering is Even acknowledging that such an assumption is unrealistic, the never detected (see, for example, Levi 2002). How can one question then is how to measure consequences and which con- properly assess money laundering risk with such limited infor- sequences to focus on. A fundamental issue is whether the con- mation? (see also Levi, Reuter, and Halliday 2018). The very sequences of a predicate crime such as selling drugs are part of feasibility of a risk-based approach is dependent on answer- the consequences of the drug proceeds being laundered. Yes, ing this question. <<< 34 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs C. >>> Appendix C. How Useful Is Estimating the Risk Before Policy Intervention? Canada, Italy, the Netherlands, Switzerland, and the UK distinguish between inherent risk and “mitigated risk.”57 This distinction raises the question of how useful and feasible it is to divide the money laundering risk in two: the risk before policy intervention (the inherent risk) and the risk after policy intervention (the mitigated risk). Such an analysis would directly inform policy makers about the effectiveness of AML policy because effectiveness is the difference between inherent risk and mitigated risk. That is not the goal of risk assessment, however; it is the goal of policy evaluation. No matter the inherent risk, policy makers have to adjust policies on the basis of the current, actual risks. Adding the measurement of inherent risk thus only adds a challenge to an already challenging task without helping to inform the relevant policy decision. The measurement of inherent risk is arguably an even more challenging—if not impossible— task, especially with the currently dominant method of analysis: expert elicitation. Measuring inherent risks with expert elicitation means that experts have to be asked what the risk would be in a hypothetical world without any AML policy. Who would have enough expertise to answer such a question credibly? Consider the relevant question for measuring inherent risks: what would be the money launder- ing risk in a world without anti-money laundering policies? We would need to ask ourselves some other questions to start this analysis. Is there no AML in the whole world? Or just not in the country we analyze? Or just the sector we analyze? Let’s say we want to determine the inherent risks of casinos in Italy, as an example. If the whole world and all other sectors have AML policies except casinos in Italy, we might expect an unreal- istically big inflow of money to casinos in Italy, just for money laundering purposes—an amount that might be bigger than the current turnover of casinos in Italy. That would not provide a useful measure. 57. Terminology on this point was inconsistent; we believe that this term best captures the general notion. <<< 35 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs An alternative, more helpful scenario assumes that other sec- ful for risk assessment and potentially generates paradoxes? tors in the country have no AML policies and ignores the po- And to what extent can experts be expected to follow such a tential inflow of money from abroad. That scenario assumes theoretical exercise and give a reliable answer? that no sector in Italy has any AML policy and that the total amount of money laundered in Italy stays the same. One could Measuring the inherent risks in the future with other research argue that criminals prefer banks for their financial transac- methods might be valuable. As long as expert elicitation is the tions due to the speed, ease, and availability. Criminals would dominant method for risk assessment, focusing on the actual then generally use banks in a country without AML policies. money laundering risks might be better. In a next step, money The attractiveness of banks in a country without AML policies laundering risk assessments can be extended to money laun- means that criminals will use banks in other sectors less, so dering risk management models in which the effectiveness of the inherent risk of casinos would be lower than the mitigated policies to mitigate risks could be valuable for policy makers. risk. That generates a paradox: AML policies can increase the The current struggles to assess money laundering risks indi- money laundering risk of certain sectors. What is the value cate that it seems too soon to take this next step. of such information? Why conduct an analysis that is unhelp- <<< 36 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs D. >>> Appendix D. Why Are the Current NRAs Not Stronger? We start by repeating a comment that appeared earlier in this report. The task of assessing money laundering risk is truly daunting. Indeed, one might even ask if it is feasible at all or at least just how precise one might reasonably expect the results to be. The most fundamental ex- planation is simply that the NRAs are not strong because nations are being asked to undertake a task that has never been done well before. Developing a robust and coherent assessment methodology can be considered a standalone task that requires substantial effort and time. Only Italy produced a standalone methodology document. The NRAs that this report analyzes are elaborate exercises involving many different stakeholders and conducted over a period of many months. We can provide only a speculative explanation for why the NRAs are not stronger. BOX CHECKING [AS ON P. 26] – One plausible interpretation of the limited value of the NRAs is that they were executed simply as a “box-checking” exercise, a concern that has been ex- pressed about many elements of the FATF mutual evaluation report process (Levi, Halliday, and Reuter 2014). The FATF requires that each government identify, assess, and understand the risks of money laundering in its jurisdiction. Although the FATF does not mandate a published national risk assessment, it does encourage one, as indicated by the publication of the 59-page Guidance on how to conduct such risk assessments. For the six countries analyzed in this report58 that had a mutual evaluation by 2019, the published NRA had been given high marks; thus, those are NRAs that the FATF community thinks well of. At least one participant explicitly supported this box-checking interpretation. In his country, the preparation and publication of the NRA had attracted no attention from the many agencies in- volved in its development. He had received no comments once it was published nor been asked to brief anyone about the findings. Further evidence for this claim is that almost no country had published a risk assessment before the FATF requirement was imposed in 2012, notwithstand- ing the effort to create a risk-based approach for AML in 2003. Repeatedly, we were told that the NRA was conducted in preparation for an MER, not because it was believed to be important for efficient operation of the money control system. 58. Japan and the Netherlands did not have a mutual evaluation in which the NRA was assessed at the time this study was done. <<< 37 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs Because the FATF Guidance is so general, it is an easy box ard. It is specifically in the field of terrorism risk assessment, to check; the variety of approaches taken and approved by where Risk is determined by Threat, Vulnerability, and Conse- mutual evaluations is evidence of that statement. None of the quences (see, for example, National Research Council 2010; NRAs, of limited value as they are, have attracted serious Willis 2007; Willis et al. 2005). For terrorism, those concepts criticism in their mutual evaluation report. One experienced fit more naturally. Terrorism has two fundamental probabilities: observer noted that the FATF plenaries, at which draft MERs the probability of an attack (by a threat) and the probability were discussed, had occasionally suppressed criticisms of that the attack leads to damage (dependent on vulnerabili- specific NRAs, suggesting that these exercises only had to ties). Studying both probabilities separately, represented by show an “understanding” of the risks, a relatively low bar. the clearly defined concepts Threat and Vulnerability, there- fore seems fitting. (Willis 2007, 598) Even though terrorism— THE NARROW WORLD OF AML. None of the NRAs show more specifically, countering terrorism financing—is seen as awareness of the broader risk assessment literature. An oc- related to anti-money laundering as a policy domain, applying casional ritual reference was made to ISO 31000, which lays the same risk concepts is questionable. Fundamental differ- out how a risk assessment should be conducted, but no use of ences between terrorism risk and money laundering risk affect any specifics of the framework is presented in that document. how those risks can be measured. First, terrorism events are The ISO reference in the individual NRAs is essentially cut sporadic; money laundering events happen hundreds or thou- and pasted from the FATF Guidance, which itself makes little sands of times every day in each country. For such patterns, use of the ISO standard. The lack of use of consulting firms, considering money laundering frequency would be better than which have expertise in risk assessment, is also indicative of considering the probability of a money laundering event. Sec- a reluctance to embrace a broader array of technical skills. ond, terrorist attacks have a direct visible consequence. When money laundering is performed successfully, it should gener- The FATF Guidance (p. 6) mentions that concepts are “use- ate no visible impact and go completely unnoticed. Whereas fully described elsewhere” when referring to the international the use of the concepts Threat and Vulnerability seems natu- ISO standard for risk assessments but continues without us- ral and well-focused for terrorism risk assessments,60 money ing those concepts and introduces its own conceptual frame- laundering risk assessments struggle to measure and analyze work, in which risk is a function of threat, vulnerability, and Threat and Vulnerability. consequences. The word hazard (as standard in the interna- tional literature on risk assessment and the ISO standard) is It is also striking that there has been no effort to develop a not used once in the FATF Guidance. In the ISO (2009) stan- stronger NRA methodology. Some NRA participants whom dard 31010 document, the word hazard is used 83 times in 92 we interviewed reported that they had read two or three other pages. On the other hand, in the ISO standard 31000—so fre- NRAs but rarely had reached out to consult with other nations quently mentioned by the FATF—the term vulnerability never about their experiences. The FATF plenaries have regular side appears.59 events (sponsored by the Risks, Trends, and Methods Group) in which a nation presents its NRA, but observers report no Without an explicit reference, the money laundering risk as- meaningful critique emerging from those events. We are un- sessment concepts put forward by the FATF (threat, vulner- aware of any symposia or workshops that have tried to culti- ability, and consequence) seem borrowed from terrorism risk vate an NRA community. That only the Netherlands provided assessments. The more general literature on conducting a an adequate description of its methodology is a further indica- risk assessment (see, for example, Rausand 2013) states that tion of the limited interest in the development of the field. Risk = Probability of a Hazard x Consequences of that Haz- 59. The term vulnerability appears in a related ISO Report, ISO 31010 Risk Assessment Techniques (Section B.11.4), and in ISO Guide 73:2009 (Risk Management Vocabu- lary): 3.6.1.6 vulnerability intrinsic properties of something resulting in susceptibility to a risk source (3.5.1.2) that can lead to an event with a consequence (3.6.1.3). 60. See National Research Council (2010) and Cox (2008) for a discussion on to what extent the risk concepts Threat and Vulnerability work well in terrorism risk assessments. <<< 38 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs >>> List of National Risk Assessment Documents Reviewed Canada. 2016. Assessment of Inherent Risks of Money Laundering and Terrorist Financing in Canada. Department of Finance. Italy. 2014. Analysis of Italy’s National Money-Laundering and Terrorist Financing Risks. Financial Security Committee. July 2014. Methodology. Italy. 2014. Italy’s National Assessment of Money-Laundering and Terrorist Financing Risks. Financial Security Committee. Synthesis. Japan. 2015. National Risk Assessment of Money Laundering and Terrorist Financing. Working Group on the National Risk Assessment of Money Laundering and Terrorist Financing of Liaison Conference of Related Ministries and Agencies for Implementation of FATF Recommendations. December 2014. Tentative translation. Japan. 2017. National Risk Assessment of Money Laundering and Terrorist Financing. National Public Safety Commission. November 2017. Tentative translation. Netherlands. 2017. National Risk Assessment on Money Laundering for the Netherlands. H. C. J. van der Veen and L. F. Heuts, Scientific Research and Documentation Centre, Ministry of Justice and Security. Cahier 2017-13a. Singapore. 2013. Singapore National Money Laundering and Terrorist Financing Risk Assessment Report. Ministry of Home Affairs, Ministry of Finance, and Monetary Authority of Singapore. Switzerland. 2015. Report on the National Evaluation of the Risks of Money Laundering and Terrorist Financing in Switzerland, Report of the Interdepartmental Coordinating Group on Combating Money Laundering and the Financing of Terrorism (CGMF). June 2015. United Kingdom. 2015. UK National Risk Assessment of Money Laundering and Terrorist Financing. HM Treasury and Home Office. October 2015. United Kingdom. 2017. National Risk Assessment of Money Laundering and Terrorist Financing. 2017. HM Treasury and Home Office. October 2017. United States. 2015. National Money Laundering Risk Assessment. Department of the Treasury. United States. 2018. National Money Laundering Risk Assessment. Department of the Treasury.  <<< 39 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs >>> References Ball, David J. 2007. “The Evolution of Risk Assessment and Risk Management: A Background to the Development of Risk Philosophy.” Arboricultural Journal 30 (2): 105–12. Black, Donald J. 1970. “Production of Crime Rates.” American Sociological Review 35 (4): 733–48. Black, Julia. 2010. “Risk Based Regulation: Choices, Practices and Lessons Being Learnt.” In Risk and Regulatory Policy: Improving the Governance of Risk, 185–224. Paris: OECD Publishing. Bolger, Fergus, and George Wright. 1994. “Assessing the Quality of Expert Judgment: Issues and Analysis.” Decision Support Systems 11 (1): 1–24. Cohen, Mark A. 2004. The Costs of Crime and Justice. Oxfordshire, United Kingdom: Routledge. Cox, Louisanthony (Tony). 2008. “Some Limitations of ‘Risk = Threat × Vulnerability × Consequence’ for Risk Analysis of Terrorist Attacks.” Risk Analysis: An International Journal 28 (6): 1749–62. Creswell, John W., and Vicki L. Plano Clark. 2017. Designing and Conducting Mixed Methods Research. Thousand Oaks, CA: Sage Publications. Crevel, René W., Joseph L. Baumert, J. L., Athanasia Baka, Geert F. Houben, André C. Knulst, Astrid G. Kruizinga, Stefano Luccioli, Stephen L. Taylor, and Charlotte B. Madsen. 2014. “Development and Evolution of Risk Assessment for Food Allergens.” Food and Chemical Toxicology 67: 262–76. Dawe, Stephen. 2013. “Conducting National Money Laundering or Financing of Terrorism Risk Assessment.” In Research Handbook on Money Laundering, edited by Brigitte Unger and Daan van der Linde, 110–26. Cheltenham, United Kingdom: Edward Elgar. Dourson, Michael L., Susan F. Felter, and Denise Robinson, D. 1996. “Evolution of Science- Based Uncertainty Factors in Noncancer Risk Assessment.” Regulatory Toxicology and Pharmacology 24 (2): 108–20. <<< 40 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs Ferwerda, Joras. 2012. “The Multidisciplinary Economics of Money Laundering.” PhD thesis, Utrecht University. Ferwerda, Joras. 2013. “The Effects of Money Laundering.” In Research Handbook on Money Laundering, edited by Brigitte Unger and Daan van der Linde, 35–39. Cheltenham, United Kingdom: Edward Elgar. Ferwerda, Joras. 2017. “The Fight against Money Laundering: A Public Task?” In Public or Private Goods?t edited by Brigitte Unger, Daan van der Linde, and Michael Getzner, 37–47. Cheltenham, United Kingdom: Edward Elgar Publishing. Ferwerda, Joras, and Peter Reuter. 2019. “Learning from Money Laundering National Risk Assessments: The Case of Italy and Switzerland. European Journal on Criminal Policy and Research 25 (1): 5–20. Ferwerda, Joras., Alexander van Saase, Brigitte Unger, and Michael Getzner. 2020. “Estimating Money Laundering Flows with a Gravity Model-Based Simulation.” Scientific Reports 10 (1): 1–11. Financial Action Task Force (FATF). 2003. The Forty Recommendations. Paris: FATF/ OECD. https://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF%20 Recommendations%202003.pdf. Financial Action Task Force (FATF). 2012. International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation: The FATF Recommendations. Paris: FATF/OECD. https://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/fatf%20 recommendations%202012.pdf. Financial Action Task Force (FATF). 2013a. FATF Guidance: National Money Laundering and Terrorist Financing Risk Assessment. Paris: FATF/OECD. http://www.fatf-gafi.org/media/fatf/ content/images/National_ML_TF_Risk_Assessment.pdf. Financial Action Task Force (FATF). 2019. “Terrorist Finance Risk Assessment Guidance.” FATF, Paris. www.fatf-gafi.org/publications//methodsandtrends/documents/Terrorist-Financing-Risk- Assessment- Guidance.html. Findley, Michael G., Daniel L. Nielson, and J.C. Sharman. 2013. “Using Field Experiments in International Relations: A Randomized Study of Anonymous Incorporation.” International Organization 67 (4): 657–93. Findley, Michael G., Daniel L. Nielsen, and J.C. Sharman. 2021. “Behavioral Institutionalism: A Field Experiment on Regulatory Compliance in the Finance Industry,” presented at the Central Bank of Bahamas virtual AML conference, January 27–28. Global Witness. 2016. “Undercover Investigation of American Lawyers Reveals Role of Overseas Territories in Moving Suspect Money into the United States.” Press Release, February 12. https:// www.globalwitness.org/en/press-releases/undercover-investigation-american-lawyers-reveals- role-overseas-territories-moving-suspect-money-united-states/. Hara, Norikazu. 2002. “Unit for Risk Measurement.” https://www.researchgate.net/scientific- contributions/2026115800_Norikazu_Hara. <<< 41 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs Hillegeist, Stephen A., Elizabeth K. Keating, Donald P. Cram, and Kyle G. Lundstedt. 2004. “Assessing the Probability of Bankruptcy.” Review of Accounting Studies 9 (1): 5–34. Hopkins, Matt, and Nikki Shelton. 2019. “Identifying Money Laundering Risk in the United Kingdom: Observations from National Risk Assessments and a Proposed Alternative Methodology.” European Journal on Criminal Policy and Research 25 (1): 63–82. International Monetary Fund (IMF). 2013. “A Research Note on Estimating Proceeds of Crime— Preliminary Evidence of the Magnitude of Global and Jurisdiction-Level Proceeds of Crime— External version (Country Names Deleted).” (unpublished research note). International Organization for Standardization (ISO). 2009. International Standard Risk Management—Risk Assessment Techniques, IEC/FDIS 31010. Geneva, Switzerland: ISO. Kleemans, Edward R., and Christianne J. de Poot. 2008. “Criminal Careers in Organized Crime and Social Opportunity Structure.” European Journal of Criminology 5 (1): 69–98. Kleemans, Edward, and Vere van Koppen. 2020. “Organized Crime and Criminal Careers.” In Crime and Justice, Vol. 49—Organizing Crime: Mafia, Markets, and Networks, edited by Michael Tonry and Peter Reuter. Chicago: University of Chicago Press. Knol, Anne B., Pauline Slottje, Jeroen P. van der Sluijs, and Erik Lebret. 2010. “The Use of Expert Elicitation in Environmental Health Impact Assessment: A Seven Step Procedure.” Environmental Health 9 (1): 19. Kynn, Mary. 2008. “The ‘Heuristics and Biases’ Bias in Expert Elicitation.” Journal of the Royal Statistical Society: Series A (Statistics in Society) 171 (1): 239–64. Lamm, Helmut, and David G. Myers. 1978. “Group-Induced Polarization of Attitudes and Behavior.” Advances in Experimental Social Psychology 11: 145–95. Levi, Michael. 2002. “Money Laundering and Its Regulation.” Annals of the American Academy of Political and Social Science 582 (1): 181–94. Levi, Michael, Terence C. Halliday, and Peter Reuter. 2014. “Global Surveillance of Dirty Money: Assessing Assessments of Regimes to Control Money-Laundering and Combat the Financing of Terrorism.” (project report). Cardiff, Wales: Cardiff University Center on Law and Globalization. Levi, Michael, Peter Reuter, and Terence Halliday. 2018. “Can the AML System Be Evaluated without Better Data? Crime, Law and Social Change 69 (2): 307–28. Long Finance & Financial Centre Futures. 2020. “The Global Financial Centres Index 27,” March 2020. Accessed September 18, 2020. https://www.longfinance.net/media/documents/GFCI_27_ Full_Report_2020.03.26_v1.1_.pdf. Masse, T., S. O’Neil, and J. Rollins, 2007. The Department of Homeland Security’s Risk Assessment Methodology: Evolution, Issues, and Options for Congress. Washington, DC: Congressional Research Service. McCollister, Kathryn E., Michael T. French, and Hai Fang. 2010. “The Cost of Crime to Society: New Crime-Specific Estimates for Policy and Program Evaluation.” Drug and Alcohol Dependence 108 (1–2): 98–109. <<< 42 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs Morgan, M. Granger. 2014. “Use (and Abuse) of Expert Elicitation in Support of Decision Making for Public Policy.” Proceedings of the National Academy of Sciences 111 (20): 7176–84. Myers, David G., and Helmut Lamm. 1975. “The Polarizing Effect of Group Discussion: The Discovery That Discussion Tends to Enhance the Average Prediscussion Tendency Has Stimulated New Insights about the Nature of Group Influence.” American Scientist 63 (3): 297– 303. Naheem, Mohammed Ahmad. 2015. “AML Compliance–A Banking Nightmare? The HSBC Case Study.” International Journal of Disclosure and Governance 12 (4): 300–310. National Research Council. 2010. Review of the Department of Homeland Security’s Approach to Risk Analysis. Washington, DC: National Academies Press. Omenn, Gilbert S. 2003. “On the Significance of ‘The Red Book’ in the Evolution of Risk Assessment and Risk Management.” Human and Ecological Risk Assessment: An International Journal 9 (5): 1155–67. Quade, Edward Schaumberg. 1975. Analysis for Public Decisions. New York: Elsevier. Rausand, Marvin. 2013. Risk Assessment: Theory, Methods, and Applications. (Vol. 115 of Statistics in Practice). Hoboken, NJ: John Wiley & Sons. Savona, Ernesto U., and Michele Riccardi, eds. 2017. Assessing the Risk of Money Laundering in Europe. Final Report of Project IARM. Milano, Italy: Transcrime–Università Cattolica del Sacro Cuore. Seaver, D. A. 1978. Assessing Probability with Multiple Individuals: Group Interaction Versus Mathematical Aggregation. Decisions and Designs Inc., McLean, VA. Shanteau, James. 1992. “Competence in Experts: The Role of Task Characteristics.” Organizational Behavior and Human Decision Processes 53 (2): 252–66. Sharman, Jason C. 2010. “Shopping for Anonymous Shell Companies: An Audit Study of Anonymity and Crime in the International Financial System.” Journal of Economic Perspectives 24 (4): 127–40. Tonry, Michael. 2016. “What Should We Expect from Police Data: Can They Tell Us Whether Crime Rates Rise or Fall?” Cahiers—Police Studies, no. 16-36. Tversky, Amos, and Daniel Kahneman. 1974. “Judgment under Uncertainty: Heuristics and Biases.” Science 185 (4157): 1124–31. Unger, Brigitte, and Frans Van Waarden. 2013. “How to Dodge Drowning in Data? Rule - and Risk-Based Anti-Money Laundering Policies Compared.” Chapter 29 in Research Handbook on Money Laundering, edited by Brigitte Unger and Daan van der Linde, 399–425. Cheltenham, United Kingdom: Edward Elgar. United States Environmental Protection Agency (EPA). 2012. “Expert Elicitation White Paper.” Washington, DC: EPA. https://cfpub.epa.gov/si/si_public_record_report.cfm?Lab=OSA&count= 10000&dirEntryId=155023&searchall=&showcriteria=2&simplesearch=0&timstype=. <<< 43 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs van der Does de Willebois, Emile, Emily M. Halter, Robert A. Harrison, Ji Won Park, and J.C. Sharman. 2011. The Puppet Masters: How the Corrupt Use Legal Structures to Hide Stolen Assets and What to Do about It. Washington, DC: World Bank Group. van der Veen, Henk, and Lars Franciscus Heuts. 2018. National Risk Assessmen: Witwassen en Terrorismefinanciering 2021, Bonaire, Sint Eustatius en Saba. the Hague, the Netherlands: WODC (Research and Documentation Centre). https://www.wodc.nl/onderzoeksdatabase/2689g- national-risk-assessment-bes-eilanden.aspx. van Dijk, Jan J., and Andromachi Tseloni. 2012. “Global Overview: International Trends in Victimization and Recorded Crime.” In The International Crime Drop: New Directions in Research, edited by Jan van Dijk, Andromachi Tseloni, and Graham Farrell, 11–36. London: Palgrave Macmillan. Willis, Henry H. 2007. “Guiding Resource Allocations Based on Terrorism Risk.” Risk Analysis 27 (3): 597–606. Willis, Henry H., Andrew R. Morral, Terrence K. Kelly, and Jamison Jo Medby. 2005. Estimating Terrorism Risk. Santa Monica, CA: Rand Corporation. <<< 44 EQUITABLE GROWTH, FINANCE & INSTITUTIONS INSIGHT | National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs