Outdated browser

You are using an outdated browser. DNB.nl works best with:

Integrity risk analysis


Section 2b of the Wwft obligates crypto service providers to prepare an integrity risk analysis and keep it up to date. In it, an institution must establish its risks of money laundering and terrorist financing, at a minimum taking into consideration the risk factors relating to its specific types of customers, products, services, transactions and supply channels, as well as countries or geographies. The integrity risk analysis is at the heart of any integrity policy.

Published: 12 November 2019

Before implementing or revamping controls and procedures, an institution must first thoroughly examine the nature (manifestations and scenarios of financial crime) and the scale of the risks.

This is done in two phases:

  1. Identify the possible risks
  2. Analyse and determine the nature and scale of the risks

Then follows the tailoring of the control framework: fleshing out policies, controls and procedures. The integrity risk analysis forms the basis for selecting adequate risk mitigation controls, also stating the extent to which those controls are effective in mitigating the risks identified. The outcome of the process is net risk – the magnitude of risk that remains if all procedures and controls are effective. The question then is to what extent the remaining net risk is acceptable and matches the firm's risk appetite.

The analysis also encompasses risks identified within the framework of sound and ethical operational management, such as risks inherent in outsourcing certain corporate functions. Institutions must also use their integrity risk analysis to consider whether independent compliance and audit functions are in place, as meant in Section 2d of the Wwft.

At regular intervals, firms must revisit their risks, analysis and controls, and test the effectiveness of those controls. This is because risks are not static. Risks to which a firm is exposed may change as a result of both internal and external factors. Similarly, unplanned events may necessitate an update of the analysis. Accordingly, we will check whether it is up to date as part of our supervision.

Institutions governed by the Wft are subject to a similar obligation to prepare a systematic integrity risk analysis. This is the subject of a good practices document we issued in 2015. (Should there be any discrepancies between the Dutch and the English version of this good practice document, the Dutch version shall prevail)

Discover related articles