Risk assessment

The assessment of money laundering and terrorist financing risks at all levels of prevention is a cornerstone of anti-money laundering and countering of terrorist financing. Risks are assessed at various levels, all of which should be linked to one another.

Open all elements Close all elements
Supranational risk assessment

Article 6 of the 4th Anti-Money Laundering Directive provides an obligation on the Commission to conduct an assessment of the risks of money laundering and terrorist financing affecting the internal market of the European Union and relating to cross-border activities. This risk assessment is called the Supra National Risk Assessment (SNRA).

The Commission published its first SNRA report on 26 July 2017 and the second report on 24 July 2019.

In accordance with the Directive, the Commission shall update its report every two years, or more frequently, if appropriate.

Links to the reports:

SNRA Report 2017 (pdf)


SNRA Report 2019

Further information on the supranational risk assessment from The European Commission's website:

Anti-Money Laundering and Counter Terrorist Financing

National risk assessment

As part on the prevention of money laundering and terrorist financing, Finland must prepare a national risk assessment. The risk assessment must identify and assess the risks of money laundering and terrorist financing in Finland. In preparing the risk assessment, attention must be paid to the EU's supranational risk assessment prepared by the European Commission.

In accordance with the Anti-Money Laundering Act (AML Act), the Ministry of the Interior and the Ministry of Finance act as the national authorities which coordinate the preparation of the national money laundering and terrorist financing risk assessment. The Ministry of the Interior is responsible for preparing the risk assessment on terrorist financing, while the Ministry of Finance is responsible for preparing the risk assessment on money laundering. The Ministry of the Interior and the Ministry of Finance shall publish a summary of the risk assessment.

On 18 December 2019, the Ministry of Finance and the Ministry of the Interior established a working group to prepare the national risk assessment concerning money laundering and terrorist financing (hereinafter the “risk assessment working group”) for the period from 18 December 2019 to 31 December 2020. In accordance with the establishment decision, the risk assessment working group decides, among other things, the most appropriate way to conduct the risk assessment, steers the parties involved in the risk assessment and ensures that the views of competent authorities for the prevention of money laundering and terrorist financing are taken into account in the risk assessment work.

The FIN-FSA’s Anti-Money Laundering division contributes actively to the work of the risk assessment working group.

Supervisor-specific risk assessment

Requirements for the supervisor-specific risk assessment

The FIN-FSA shall prepare an assessment of the risks of money laundering and terrorist financing among the obliged entities supervised by it.

In preparing the supervisor-specific risk assessment, the FIN-FSA must take into account:

  1. the Commission supranational risk assessment and the risks of money laundering and terrorist financing indicated in the assessment;
  2. the national risk assessment and the national risks of money laundering and terrorist financing indicated in the assessment;
  3. the risks of money laundering and terrorist financing concerning the sector supervised by it and relating to the obliged entities and to their customers, products and services.

The risk assessment must be updated on a regular basis, and a summary of the risk assessment must be made public.

FIN-FSA’s supervisor-specific risk assessment

The FIN-FSA’s supervisor-specific risk assessment of anti-money laundering and terrorist financing is an extensive process consisting of several phases:

  1. Assessment of inherent risk

    The first phase comprises the determination of the so-called inherent risk level for each sector supervised by the FIN-FSA. In assessing the inherent risk level, the actual risk level or level of management methods is not taken into account.

    The FIN-FSA’s summary of the level of inherent money-laundering risk levels related to different sectors was published on 17 March 2020. For the time being, the published summary only addresses money laundering risks. As regards terrorist financing, the target is to roll out the methodology during 2020. In the assessment of terrorist financing risks, pertinent information accumulated in the course of the national risk assessment will play a major role.

    FIN-FSA's assessment of inherent risk (pdf)
  2. Sector-specific risk assessments

    In the second phase of the risk assessment process, a risk assessment is prepared for each sector. In preparing the sector-specific risk assessment, use is made, for example, of information collected from obliged entities in the RA survey.

    When summaries of sector-specific risk assessments are published, there will be separate communications.
  3. Entity-specific risk assessments

    As part of its supervisor-specific risk assessment, the FIN-FSA will determine a risk category for all of its supervised entities under the reporting obligation. The individual risk ratings of the obliged entities will not be made public.
    The risk rating is assigned relative to other entities operating in the same sector.

The supervisor-specific risk assessment as a whole is an important part of the development of the FIN-FSA’s risk-based AML/CFT supervision framework

Further information on requirements concerning risk-based supervision from European Banking Authority:

Guidelines on risk based supervision (pdf)

Risk assessment of obliged entity

In accordance with the AML Act, obliged entities shall prepare a risk assessment to identify and assess the risks of money laundering and terrorist financing. In preparing the risk assessment, each obliged entity shall take into account the nature, size and extent of its activities. The obliged entity shall have in place policies, procedures and controls that are sufficient with regard to the abovementioned factors to reduce and effectively manage the risks of money laundering and terrorist financing.

Why must a risk assessment be made?

The purpose of the risk assessment is to make each obliged entity identify and understand the risks of money laundering and terrorist financing related to its activities. Once the obliged entity has identified and assessed the risks, it will be able to adjust its risk management methods in proportion to the risk. A crucial part of the risk assessment process is to determine the obliged entity’s risk appetite, i.e. what level of risk it is willing to accept.

The AML Act also includes several obligations, compliance with which requires that a risk assessment of money laundering and terrorist financing is made first. For example, obliged entities must comply with their customer due diligence obligations based on the risks involved throughout the customer relationship. Risk-based compliance with the obligations is not possible without conducting a risk assessment.

In addition, it should be noted that the obliged entity must be able to demonstrate to the FIN-FSA that its methods concerning customer due diligence and ongoing monitoring are adequate in view of the risks of money laundering and terrorist financing.

How to prepare a risk assessment?

There is no standard format for a risk assessment, but each obliged entity makes it in a manner fitting its specific purpose.

However, the obliged entity should document how the risk assessment was made so that it is able to describe the process to the FIN-FSA where necessary. In the documentation, attention should be paid to the following considerations:

  • Who is responsible for preparing the risk assessment and which parties are involved?
  • Which sources are used in preparing the risk assessment and how?
  • When and how is the risk assessment updated?
  • How does the risk assessment affect compliance with customer due diligence requirements?
    • For example, if customers are grouped into risk categories, how were the risk categories derived from the risk assessment?

The law does not provide exact content requirements for the risk assessment. In order for the obliged entity to be able to demonstrate the adequacy of its methods regarding risks, the risk assessment should include the entity's view on the following matters:

  • How can the products or services provided by the obliged entity be utilised in laundering money or financing terrorism?
    • How the risks of money laundering and financing of terrorism related to new and existing customers, countries or geographical areas, products, services and transactions as well as distribution channels and technologies have been taken into account (risk-based assessment)?
  • What methods are used to prevent the use of the products and services in money laundering and/or terrorist financing? (management methods)
  • What vulnerabilities are related to these management methods and what actions are taken to address these vulnerabilities?
  • What is the assessment of the obliged agent on the level of risk remaining (residual risk) after the estimated impact of the management methods on the risk?
  • View of whether the level of residual risk is acceptable or whether actions will be taken to reduce it further.

The results of the risk assessment steer the actions related to customer due diligence. Hence, the risk assessment must have an effect on the customer due diligence actions, and these may not be conflicting. For example, customers should not be categorised based on factors that have not be identified as risk factors in the risk assessment.