The Financial Action Task Force (FATF) requires national governments to demonstrate an understanding of the distribution of money laundering risks across different sectors of the financial system. Such understanding is the foundation for effective control of money laundering under the risk-based approach called for by the FATF. We analyzed the National Risk Assessments (NRAs) of eight systemically important countries before 2020 to test whether these demonstrated that basic understanding. The eight show very different conceptualizations, analytic approaches, and products. None showed more than minimal competence at risk assessment. For example, most relied largely on expert opinion, solicited, however, in ways that violated the well-developed methodology for eliciting expert opinion. They consistently misinterpreted Suspicious Activity Reports, the most fine-grained quantitative data available on money laundering, and failed to provide risk assessments relevant for policymakers. Only one described the methodology employed. Although conducting strong money laundering risk assessments is challenging, given the difficulty of estimating the extent of laundering in any sector, existing practices can be improved. We offer some potential explanations for the failure of governments to take this task seriously. The lack of involvement of risk assessment professionals is an important contributing factor to the weaknesses of the current NRAs.

1 INTRODUCTION

Increasing the expense of, and probability of arrest for, laundering criminal proceeds is now viewed as a routine government function. A far-reaching set of controls, generally referred to as the anti-money laundering (AML) regime, has been developed over the last 30 years under the auspices of an international body, the Financial Action Task Force (FATF).

Since 2012, FATF has required that nations demonstrate a knowledge of money laundering risks. That has led many nations to prepare National Risk Assessments (NRAs). This article aims to describe the results of the first decade of efforts to bring risk assessment techniques to a new field, one in which risk professionals have not previously played a role. Indeed, one of our findings is that, despite the prominence of money laundering NRAs, risk professionals still play a minor role. This article contributes to the literature on applications of risk assessment techniques to new areas of public policy (e.g., Danner & Schulman, 2019; Scala et al., 2019).

Detecting and preventing money laundering presents, in some respects, a standard challenge for financial institutions and their regulators. Limited resources should be allocated to maximize the decision-maker's objective function. For a bank, that is maximizing profit, taking into account AML costs, as well as paying fines for failure to meet AML obligations.1 For the regulators as a collective, the objective is more difficult to specify; for the moment, assume that it is to minimize the nation's money laundering. Efficient allocation requires an understanding of how to distinguish the riskiness of customers or transactions. For those that are high risk, FATF requires that the bank or regulator increases the intensity of scrutiny; for those that are low risk, due diligence and investigation can be less rigorous.

Less standard for implementing risk analysis is the data challenge. Money laundering is a daily occurrence for any large bank. Each year, millions of transactions involve the placement of illegally derived revenues into the financial system; estimates put the total of such revenues in the hundreds of billions of dollars annually (Unger et al, 2006; Ferwerda et al., 2020). Very few of these transactions are detected. There is no basis for assuming that the characteristics of detected money laundering transactions are similar to the undetected. Although that is not novel for the risk assessment field, it presents a different problem from that faced by banks in managing most other risks, such as that of client bankruptcy or fraud, where the bank obtains data on specific occurrences, even if lagged.

This study reviews the first round of risk assessments through an assessment of the NRAs prepared by eight nations with highly sophisticated financial regulatory systems. It shows that the eight failed in eight different ways to produce meaningful risk assessments. To adapt Tolstoy's opening line to Anna Karenina: All strong money laundering NRAs resemble one another; all weak money laundering NRAs are weak in their own way. A problem with that line is the lack of examples of a strong money laundering NRA; we explain later why money laundering NRAs are so weak.

2 BACKGROUND

The FATF, a 1989 G7 creation, and now a permanent body, drives money laundering control systems everywhere. FATF has a membership of 39 mostly rich nations (Nance, 2018); almost all other countries belong to FATF Regional Style Bodies, which are themselves members of FATF. FATF's power lies in its threat of financial sanctions administered by national authorities (e.g., loss of access to dollar transactions internationally) against any nation that does not conform to FATF's 40 Recommendations (FATF, 2012). The AML system imposes obligations on financial institutions and Designated Non-Financial Businesses and Professions (DNFBPs) to prevent criminals or terrorists from establishing accounts or conducting transactions.2 Among other things, these institutions, businesses, and professions are required to identify and report suspicious transactions (Suspicious Activity Reports: SARs)3 and undertake customer due diligence checks. Failures to do so can generate fines from national authorities against the Financial Institution or DNFBP; fines occasionally have been in the billions of dollars.4

The FATF requires each country to be evaluated for its implementation of the Recommendations and the effectiveness of its AML policies. These evaluation exercises, conducted roughly every 10 years, result in Mutual Evaluation Reports (MERs). A poor MER can have serious consequences for a country. The NRA is an important element of the MER process, in that a number of key Recommendations depend on an acceptable NRA (FATF, 2012).

FATF published a methodology for NRAs that borrowed from the International Organization for Standardization (ISO) and terrorism risk analyses but showed little awareness of the difficulties of adapting these to the specific characteristics of money laundering. From conversations with participants in the risk assessment development process, we are confident that at no stage was an outside risk assessment expert brought in to provide guidance or advice.

3 THE RISK-BASED APPROACH TO FIGHTING MONEY LAUNDERING

The FATF formally introduced the risk-based approach (RBA) to AML in their Forty Recommendations of 2003 by specifying that “Financial Institutions … may determine the extent of such measures on a risk sensitive basis” (FATF, 2003). The RBA only became mandatory in 2012. RBA means that banks and other institutions could no longer follow the specified rules blindly (as under the rule-based approach), but had to actively assess money laundering risks. For example, transactions involving complex and opaque corporate vehicles might be identified as high risk; any transaction involving such an entity would be subject to more intense scrutiny.

The RBA has been applied not only to the reporting entities:

“Countries should identify, assess, and understand the money laundering and terrorist financing risks for the country, and should take action, including designating an authority or mechanism to coordinate actions to assess risks, and apply resources, aimed at ensuring the risks are mitigated effectively. Based on that assessment, countries should apply a risk-based approach (RBA) to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified.” (FATF, 2012, p. 9)

This shows that supervisors of AML regulations (e.g., bank regulators) should apply their supervision in a risk-based manner. Recommendation 1 implies, less clearly, that enforcement agencies should also allocate resources to reflect the distribution of risk across potential channels. Thus, the importance of risk assessment by the government.

So what exact policy issue (or issues) are NRAs trying to inform? The FATF Guidance is vague on this, except that assessments “may also form the basis for determining whether to apply enhanced or specific measures, simplified measures or exemptions from AML/CTF requirements” (FATF, 2013, p. 4). This clarifies that the policy decision the NRA should inform is indeed how financial institutions and regulatory agencies allocate resources and indicates that the concern is how the risks are spread across sectors, interpreted here to mean classes of regulated institutions. Thus, an NRA should at least provide information about the relative risks of each sector. An NRA can provide much more information about money laundering risks, such as the most important forms of laundering, but relative risks across sectors should be considered the bare minimum.

4 THE FATF APPROACH TO RISK ASSESSMENT

The FATF did not publish an exact prescription of how a risk assessment ought to be conducted. It merely published a Guidance document (FATF, 2013) with the goal and some concepts explained (Celik, 2023, p. 6). Our attention is on the concepts.

FATF describes money laundering risk as a function of threat, vulnerability, and consequences. Thus applying terminology commonly used in risk assessments of terrorism (see, e.g., Willis et al., 2006, 2007; National Research Council, 2010) to money laundering. Although these labels have intuitive appeal for structuring the NRA exercise, they are in fact confusing when applied to money laundering (see also Ferwerda & Reuter, 2019). They have been extensively critiqued in the risk literature (e.g., Brown & Cox, 2011). We consider each element in turn:

(a) “A threat is a person or group of people, object or activity with the potential to cause harm to, for example, the state, society, the economy, etc. In the ML/TF context this includes criminals, terrorist groups and their facilitators, their funds, as well as past, present and future ML or TF activities.” (FATF, 2013, p. 7)

In standard risk assessment terminology, threat is the hazard to which the entity is exposed. The above definition of threat is so heterogeneous as to defy coherent description, let alone measurement. Putting together people, money, and activities to form one variable is impossible. What might be meant by “object” that constitutes a threat? Annex 1 of the Guidance (2013, p. 32–39) provides a list of over 150 Threat Factors. Most are simply predicate crimes.5 The implication is that threat should be measured by revenues but also includes such items as “Sources, location, and concentration of criminal activity, including within illegal underground areas in the economy.” In addition, if one could combine such different threat factors, what is the unit of measurement? A simple, intuitive version of the level of the national money laundering threat is the amount of money that seeks laundering. In a standard economic frame, that would be described as the demand for money laundering services (Dawe, 2013). The FATF Guidance does not invite that operationalization.

(b) “The concept of vulnerabilities as used in risk assessment comprises those things that can be exploited by the threat or that may support or facilitate its activities. In the ML/TF risk assessment context, looking at vulnerabilities as distinct from threat means focusing on, for example, the factors that represent weaknesses in AML/CFT systems or controls or certain features of a country. They may also include the features of a particular sector, a financial product or type of service that make them attractive for ML or TF purposes.” (FATF, 2013, p. 7)

The Guidance document provides many examples of vulnerability, occupying 7 pages with about 15 items on each page. The risk factors are in six broad categories, most of which are national (e.g., political stability, demographics). Only a few are specific to a particular component of the financial sector (e.g., types and ranges of customers and nature of business relationships). Individual countries interpreted “vulnerabilities” differently. In their analyses, vulnerability refers to a sector's characteristics that make it attractive (e.g., the speed of bank transactions) or weaknesses in the prevention, detection, and enforcement of money laundering events.

(c) Consequences are the adverse effects of money laundering. The guidance, as noted, states that measuring consequences of money laundering can be challenging. Therefore, a focus on only threats and vulnerabilities is acceptable. (FATF, 2013, p. 8)

Analysis of the NRAs of 8 developed countries shows no country making an explicit effort to assess consequences, except the Netherlands, where experts were asked about the potential impact of 10 specific “risks.” Using only threat and vulnerability means that the harms inflicted per dollar are implicitly assumed to be equal for all types of money laundering, all predicate crimes, and all sectors.

Acknowledging that such an assumption is unrealistic, how should one measure consequences and decide which consequences matter? Fundamental is whether the consequences of a predicate crime like selling drugs are part of the consequences of laundering drug proceeds. Yes, money laundering helps dealers freely spend drug proceeds, but technically, selling drugs is not part of the money laundering process itself. The FATF Guidance (2013, p. 7) stated that the underlying criminal activity is part of the consequence of money laundering. Consequently, it matters for a risk assessment whether a laundered dollar initially came from selling drugs, fraud, or corruption because different predicate crimes have different effects for society (see, e.g., Cohen, 2004 and McCollister et al., 2010).

With the term consequences dropping out of the equation in practice, money laundering risk, in the FATF approach, is determined by threat and vulnerability alone. Our assessment of the NRAs focuses on these two dimensions.

5 STUDY DATA AND METHODS

We analyzed 11 NRAs published by Canada, Italy, Japan, the Netherlands, Singapore, Switzerland, the United Kingdom, and the United States before 2020.6 Japan, the United Kingdom, and the United States published two NRAs in the period covered. All eight countries are FATF members. Included are two of the jurisdictions with most prominent FATFs creation, the United Kingdom and the United States. These two countries, plus Singapore and Switzerland, are among the most important global financial centers (The Global Financial Centers Index 27, 2020, p. 4). The jurisdictions span the globe: four in Europe, two in North America, and two in Asia. The International Monetary Fund (IMF) identifies these countries as jurisdictions with a systemically important financial sector.7 Five of the G7 are included; thus, these eight countries might be seen as including those most capable of being state-of-the-art,8 providing a striking finding if the maintained hypothesis (“competent at risk assessment”) is disconfirmed.

We interviewed individuals who contributed to five of the NRAs: Canada, Italy, the Netherlands, Switzerland, and the United Kingdom. Primarily, we relied on the reports themselves. Most reports provide only brief descriptions of methodology; this is a weakness as NRAs are not one-time efforts but should provide ongoing guidance.9 All, except that of Singapore, show the extent to which they relied on specific data sources: SARs, expert opinion, and vignettes. We made no effort to assess the accuracy with which they represented those sources.

For analysis purposes, we used a four-part framework to compare the eight NRAs:

Concepts used. Threats and vulnerabilities, the FATF framework's central concepts, were almost universal, though variably interpreted. Some NRAs also incorporate the concepts of inherent risk, country risk, and consequences.
Data sources. Most used SARs, enforcement actions, and expert opinion. Occasionally, there were also vignettes.
Analytic methods. This was the hardest category to code because little was said explicitly, except by the Netherlands and Switzerland.
Outputs reported. A few countries provided detailed tables, showing for each sector the levels of threat and vulnerability. Only Italy went to the next step and showed which additional regulatory interventions were most effective for each sector.

The detailed analysis appears in Ferwerda and Reuter (2022). We focus here on overall findings and the possible direction for the field.

6 DISCUSSION: HOW STRONG ARE THE NRAS?

The eight NRAs show a great variety. This is hardly surprising because FATF indicated in its Guidance document that it was not prescribing the process.

We begin with an important and useful negative lesson. Though all NRAs devoted considerable space to discussing predicate crimes and their importance in terms of criminal revenues, these assessments played a minor or no role in the NRA recommendations or policy analysis. Even for enforcement agencies, knowing the distribution of money laundering volumes across predicate crimes has little value. Their allocation of AML effort should be determined by the social costs of each crime, a very different concept from the proceeds of crime, and by the utility of AML in reducing those crimes. If AML is useful for solving homicides, that should get considerable attention, even if fraud generates more criminal revenues. It is also good news because no country has strong measures of the proceeds of crime, and most countries lack any estimates at all.10

Each NRA captured some of the required elements. Even those we assess as quite weak offered something different and useful. For example, the US NRA, lacking sector risk rankings and minimal quantitative data, provided insights by identifying relevant money laundering methods. The Singapore NRA showed that there was little evidence of substantial domestic money laundering. However, none of them came close to a well-founded and comprehensive risk assessment. The published NRAs suffer from fundamental problems concerning concepts, data sources, analysis, and outputs.

6.1 Conceptual analysis

All are conceptually confused; the authors may not be confused but the documents are unclear. We identify four major flaws:

Concepts lack clear operationalization. Most NRAs simply repeat the FATF Guidance definitions but then do not say how, for example, threats might be measured, simply listing a series of offenses. Vulnerability is operationalized in a similarly confusing and inconsistent fashion.
Many risk assessments operationalize threats and vulnerabilities at different levels. Threats are national aggregates, and vulnerabilities are sectoral.
Risk assessments are designed to inform decisions, as the FATF Guidance itself notes. An early task, then, is to identify the decision-makers and frame the analysis to help them. If banks have a specialized regulatory authority, then the assessment should consider risk in the banking sector specifically. For example, the Dutch NRA informs no specific decision-maker when it uses a category described as “financial institutions, particularly banks,” as the category includes other sectors such as insurance companies with their own regulators.
Terminological confusion exacerbates and signals the problem. Risk is used in variable ways within one NRA, making it impossible to know what is being measured. For example, the Swiss NRA includes a table (on p. 45) in which threat is both on the horizontal and vertical axes under different rubrics, rendering the cell entries meaningless. There is little understanding of the ambiguity of some indicators. For example, some NRAs (e.g., Japan) interpret characteristics of closed cases as providing evidence of patterns of money laundering, whereas others (e.g., the United Kingdom) interpret them as indicative of the pattern of enforcement. In fact, closed cases reflect both the underlying distribution of offenses and enforcement agencies investigative choices; separating the two effects is a major analytic undertaking.11

6.2 Data sources

Most NRAs relied on just one or two data sources. At an extreme, the Dutch NRA uses only expert opinion. Italy used the greatest variety of data sources, though expert opinion ultimately determined the assessments, with the other data sources as inputs for the discussion.

The quality of the data sources is never systematically assessed but taken at face value; indeed, it is rarely described. There is no effort to triangulate or test the plausibility of conclusions from one source with data from another source.

6.3 Analysis

Discussing the NRA analytic methods is difficult because few are described. Some did little more than present numbers, such as the NRAs for Japan and Singapore. The United Kingdom used a model developed by law enforcement agencies that is unavailable in open-source form; no one can assess its credibility for the purpose. The methodology descriptions vary between non-existent (Singapore) and very thin (the United States), except for the Netherlands and Switzerland. Progress, both for successive NRAs in a given country and for the field as a whole, is dependent on better documentation of methods and procedures. Our interviews with participants in second round NRA efforts gave the strong impression that documentation was inadequate, even within the agency files.

6.4 Outputs

The outputs of the NRAs vary greatly. Some countries (like the United Kingdom and the Netherlands) provide detailed rankings of the risk associated with sectors and products. Uniquely, Italy goes even further and identifies which of four different methods could be used to improve the effectiveness of AML in a specific sector. At the other extreme, the United States provides no relative risk measures, even of the vaguest kind, but only the reassurance that the system was robust, hardly consistent with the evidence from its own investigations.

Some countries went beyond relative risk statements and provided risk classifications. These labels are not standardized across countries. Canada's alarming 16 out of 27 sectors/products being labeled high risk, suggesting a highly exposed system12, cannot be compared to the UK finding that only 3 out of 12 should be labeled high risk.

That raises a question of interpretation. Switzerland correctly notes that money laundering risk cannot be eliminated. However, one may ask whether a system in which six separate classes of institutions are classified as high risk is consistent with the claim that “Switzerland has a full, coordinated and effective range of legal and institutional resources for combating money laundering and terrorist financing” (Swiss NRA, p. 4). Perhaps the US claim to a robust system (US NRA, 2015, p. iii) is simply a different national tolerance for money laundering risk.

6.5 Why are these NRAs so weak?

Reviewing NRAs from leading nations is dispiriting. We can only provide a speculative explanation for their weakness. Here, we also draw on a World Bank analysis of the strengths of the NRAs as reflected in their evaluation in the MERs (Celik, 2023). That study also saw the NRAs as generally weak.

Box Checking—One plausible explanation of the NRAs’ low quality is that they were simply a “box-checking” exercise. At least one participant supported this interpretation. In his country, the preparation and publication of the NRA had attracted no attention from the many agencies involved in its development. He had received no comments once it was published, nor had he been asked to brief any agency. Further evidence for this claim is that almost no country had published a risk assessment before the FATF requirement was imposed in 2012, notwithstanding the effort to create an RBA for AML in 2003. Repeatedly, we were told that the NRA was conducted in preparation for an MER, not because it was believed to be important for the efficient operation of the money control system. Similarly, the World Bank noted that 60 of the 146 NRAs it examined had been conducted within 12 months of the on-site visit for the MER.

As the FATF Guidance is so general, it is an easy box to check. The variety of approaches approved by MERs is evidence of that. None of the eight NRAs, fundamentally flawed as they are, attracted serious MER criticism. One experienced observer noted that the FATF plenaries, at which draft MERs are discussed, had occasionally suppressed criticisms of specific NRAs, suggesting that these exercises only had to show an “understanding” of the risks, a relatively low bar.

The narrow world of AML—No NRA showed awareness of the broader risk assessment literature. There is an occasional ritual reference to ISO 31000, but no use of any specifics of the framework. The ISO reference in the individual NRAs is essentially cut and pasted from the FATF Guidance, which itself makes little use of the ISO standard. The lack of use of consulting firms, which have expertise in risk assessment, also indicates a reluctance to embrace a broader array of technical skills.

The FATF Guidance (p. 6) mentions that concepts are “usefully described elsewhere” when referring to the international ISO standard for risk assessments but continues without using these concepts and introducing their own conceptual framework where risk is a function of threat, vulnerability, and consequences. The word “hazard” (as standard in the international literature on risk assessment and the ISO standard) is not used once in the FATF Guidance. In the ISO (2009) standard 31010 document, the word “hazard” is used 83 times in 92 pages. On the other hand, although the FATF frequently mentions vulnerability, in ISO standard 31000, the term vulnerability never appears.

The AML community has not tried to develop a stronger NRA methodology. Some interviewed NRA participants reported that they had read two or three other NRAs but rarely had reached out to consult with other nations. At the FATF plenaries, there are regular side events in which a nation presents its NRA but observers report no meaningful critique emerging from these events. There are no symposia or workshops that have tried to cultivate an NRA community. That only the Netherlands provided an adequate description of their methodology is a further indication of indifference to the development of the field.

7 CONCLUSION

The NRA exercise for money laundering is in its early stages. There is no shame in stumbling at the starting gate; that has happened in other spheres as well.13 A variety of approaches is healthy for an institutional setting without a strong history of empirical analysis. Less forgivable is the lack of transparency and the failure to learn from the experiences of different countries. Fortunately, these faults can readily be remedied. Bringing in risk assessment professionals is surely one of the requirements.

ACKNOWLEDGMENTS

We gratefully acknowledge helpful comments from Kateryna Bogulslavska, Steve Dawe, Elisa de Anda, Mario Gara, Tom Keatinge, Michael Levi, Mark Nance, Michele Riccardi, Jason Sharman, and Tjalling Jan van Koningsveld. We also thank the reviewers selected by Risk Analysis for this publication and the reviewers selected by the World Bank for an earlier version of this publication. The authors are responsible for any remaining errors.

FUNDING INFORMATION

This study was not externally funded.

CONFLICT OF INTEREST STATEMENT

The authors declare no potential conflicts of interest.

LIST OF NATIONAL RISK ASSESSMENT DOCUMENTS

Canada (2016) Assessment of Inherent Risks of Money Laundering and Terrorist Financing in Canada, Department of Finance

Italy (2014) Analysis of Italy's National Money-Laundering and Terrorist Financing Risks, Financial Security Committee, July 2014, Methodology

Italy (2014) Italy's National Assessment of Money-Laundering and Terrorist Financing Risks, Financial Security Committee, Synthesis

Japan (2015) National Risk Assessment of Money Laundering and Terrorist Financing, Working Group on the National Risk Assessment of Money Laundering and Terrorist Financing Of Liaison Conference of Related Ministries and Agencies for Implementation of FATF Recommendations, December 2014, Tentative Translation

Japan (2017) National Risk Assessment of Money Laundering and Terrorist Financing, National Public Safety Commission, November 2017, Tentative Translation

Japan (2017) National Risk Assessment of Money Laundering and Terrorist Financing, NationalPublic Safety Commission, November 2017, Tentative Translation

Netherlands (2017) National Risk Assessment on Money Laundering for the Netherlands, H.C.J. van der Veen and L.F. Heuts, Scientific Research and Documentation Centre, Ministry of Justice and Security, Cahier 2017–a13a

Singapore (2013) Singapore National Money Laundering and Terrorist Financing Risk assessment Report, Ministry of Home Affairs, Ministry of Finance and Monetary Authority of Singapore

Switzerland (2015) Report on the national evaluation of the risks of money laundering and terrorist financing in Switzerland, Report of the interdepartmental coordinating group on combating money laundering and the financing of terrorism (CGMF), June 2015

UK (2015) UK national risk assessment of money laundering and terrorist financing, HMT reasury and Home Office, October 2015

UK (2017) National risk assessment of money laundering and terrorist financing 2017, HMT reasury and Home Office, October 2017

US (2015) National Money Laundering Risk Assessment, Department of the Treasury

US (2018) National Money Laundering Risk Assessment

REFERENCES

Bottomley, A. K., & Coleman, C. (1981). Understanding crime rates: Police and public roles in the production of official statistics. Gower.
Google Scholar
Black, D. J. (1970). Production of crime rates. American Sociological Review, 35(4), 733–748.
10.2307/2093948
Web of Science®Google Scholar
Brown, G. G., & Cox, L. A. Jr. (2011). How probabilistic risk assessment can mislead terrorism risk analysts. Risk Analysis, 31(2), 196–204.
10.1111/j.1539-6924.2010.01492.x
PubMedWeb of Science®Google Scholar
Celik, K. (2023). Lessons learned from the first generation of national risk assessments. EFI Insight-Finance. World Bank.
Google Scholar
Cohen, M. A. (2004). The costs of crime and justice.Routledge.
10.4324/9780203313145
Google Scholar
Crevel, R. W., Baumert, J. L., Baka, A., Houben, G. F., Knulst, A. C., Kruizinga, A. G., Luccioli, S., Taylor, S. L., & Madsen, C. B. (2014). Development and evolution of risk assessment for food allergens. Food and Chemical Toxicology, 67, 262–276.
10.1016/j.fct.2014.01.032
CASPubMedWeb of Science®Google Scholar
Danner, C., & Schulman, P. (2019). Rethinking risk assessment for public utility safety regulation. Risk Analysis, 39(5), 1044–1059.
10.1111/risa.13236
PubMedWeb of Science®Google Scholar
Dawe, S. (2013). Conducting national money laundering or financing of terrorism risk assessment. In B. Unger & D. Linde (Eds.), Research handbook on money laundering (pp. 110–126). Edward Elgar.
10.4337/9780857934000.00018
Google Scholar
Dijk, J. V., & Tseloni, A. (2012). Global overview: International trends in victimization and recorded crime. In J. Dijk, A. Tseloni, & G. Farrell (Eds.), The international crime drop: New directions in research. Palgrave Macmillan.
Google Scholar
Financial Action Task Force (FATF). (2003). The forty recommendations. FAFT. https://www.fatfgafi.org/media/fatf/documents/recommendations/pdfs/FATF%20Recommendations%202003.pdf
Google Scholar
Financial Action Task Force (FATF). (2012). International standards on combating money laundering and the financing of terrorism & proliferation: The FATF recommendations. FATF/OECD. http://www.nrb.org.np/fiu/notices/Revised_FATF_Recommendations(2Feb2012)_FATF-WGEI(2012).pdf
Google Scholar
Financial Action Task Force (FATF). (2013). FATF guidance national money laundering and terrorist financing risk assessment. FATF. http://www.fatfgafi.org/media/fatf/content/images/National_ML_TF_Risk_Assessment.pdf
Google Scholar
Ferwerda, J., & Reuter, P. (2019). Learning from money laundering national risk assessments: The case of Italy and Switzerland. European Journal on Criminal Policy and Research, 25(1), 5–20.
10.1007/s10610-018-9395-0
Web of Science®Google Scholar
Ferwerda, J., & Reuter, P. (2022). National assessments of money laundering risks. World Bank. https://openknowledge.worldbank.org/bitstream/handle/10986/37305/IDU02386c9b80f623045e70bf8a09a30b6162595.pdf?sequence=1
Google Scholar
Ferwerda, J., van Saase, A., Unger, B., & Getzner, M. (2020). Estimating money laundering flows with a gravity model-based simulation. Scientific Reports, 10(1), 18552.
10.1038/s41598-020-75653-x
CASPubMedWeb of Science®Google Scholar
International Organization for Standardization (ISO). (2009). risk management—Risk assessment techniques, IEC/FDIS 31010. International Standard.
Google Scholar
Masse, T., O'Neil, S., & Rollins, J. (2007). The Department of Homeland Security's risk assessment methodology: Evolution, issues, and options for Congress. Library of Congress, Washington DC Congressional Research Service.
Google Scholar
McCollister, K. E., French, M. T., & Fang, H. (2010). The cost of crime to society: New crime-specific estimates for policy and program evaluation. Drug and Alcohol Dependence, 108(1–2), 98–109.
10.1016/j.drugalcdep.2009.12.002
PubMedWeb of Science®Google Scholar
Morris, H., Mainelli, M., & Wardle, M. (2020). The Global Finance Centres Index 27.
Google Scholar
Nance, M. T. (2018). Re-thinking FATF: An experimentalist interpretation of the Financial Action Task Force. Crime, Law and Social Change, 69(2), 131–152.
10.1007/s10611-017-9748-5
Web of Science®Google Scholar
National Research Council. (2010). Review of the Department of Homeland Security's approach to risk analysis. National Academies Press.
Google Scholar
O'Brien, R. M. (1996). Police productivity and crime rates: 1973–1992. Criminology, 34(2), 183–207.
10.1111/j.1745-9125.1996.tb01202.x
Web of Science®Google Scholar
Scala, N. M., Reilly, A. C., Goethals, P. L., & Cukier, M. (2019). Risk and the five hard problems of cybersecurity. Risk Analysis, 39(10), pp. 2119–2126.
10.1111/risa.13309
PubMedWeb of Science®Google Scholar
Tonry, M. (2016). What should we expect from police data: Can they tell us whether crime rates rise or fall? Cahiers—Police Studies, Minnesota Legal Studies Research Paper No. 16–36.
Google Scholar
Unger, B., Siegel, M., Ferwerda, J., De Kruijf, W., Busuioic, M., Wokke, K., & Rawlings, G. (2006). The amounts and the effects of money laundering. Report for the Ministry of Finance, 16(2020.08), 22.
Google Scholar
Unger, B., & van Waarden, F. (2013). How to dodge drowning in data? Rule-and risk-based anti-money laundering policies compared. In B. Unger & D. Van Der Linde (Eds.)., Research handbook on money laundering (pp. 399–425). Edward Elgar.
10.4337/9780857934000.00042
Google Scholar
Vander Doesde, W., Emile, J. M., Halter, E. M., Harrison, R. A., Park, J. W., & Sharman, J. C. (2011). The puppet masters: How the corrupt use legal structures to hide stolen assets and what to do about it. The World Bank.
10.1596/978-0-8213-8894-5
Google Scholar
Willis, H. H. (2007). Guiding resource allocations based on terrorism risk. Risk Analysis: An International Journal, 27(3), 597–606.
10.1111/j.1539-6924.2007.00909.x
PubMedWeb of Science®Google Scholar
Willis, H. H., Morral, A. R., Kelly, T. K., & Medby, J. J. (2006). Estimating terrorism risk. Rand Corporation.
Google Scholar

1 Almost all major banks have now been fined large amounts for AML violations, so the reputational loss is probably minimal.
2 The FATF regime also deals with the fight against terrorist financing; indeed, it is usually referred to as the anti-money laundering and counter-terrorism finance (AML/CTF) regime. This article focuses on money laundering.
3 Some countries call these Suspicious Transaction Reports; in the Netherlands, they are called Unusual Transaction Reports. We use SARs to cover all three.
4 Each of the 10 largest European banks has been fined more than $100 million for money laundering violations.
5 Predicate crimes for money laundering are crimes that can generate money that needs to be laundered, for example, drug sales or fraud.
6 Two other NRAs by these countries were not included. A 2019 Italian NRA has not been published in English. A 2020 Dutch NRA came out after the analysis was completed.
7 https://www.imf.org/external/np/fsap/mandatoryfsap.htm
8 These countries might not per se be those most interested in performing the NRA exercise well; countries more threatened by “blacklisting” by the FATF might be more motivated. Our focus has been on selecting the countries that are most likely the most capable.
9 The FATF Guidance states: “Recommendation 1 requires that countries assess risks ‘on an ongoing basis,’ and that they keep assessments up-to-date” (p. 18).
10 For example, the Canadian mutual evaluation refers to proceeds of crime estimates of $47 billion and RCMP estimates of money laundering of $5–15 billion, which are hard to reconcile. An unpublished 2013 IMF study examined proceeds of crime estimates for 35 jurisdictions encompassing about one third of global GDP. The IMF sought estimates for 24 different crimes; for 10 of those 24 crimes, fewer than half of the countries had estimates.
11 Many have devoted considerable effort to just this endeavor for crime generally; see, for example, Black (1970), Bottomley and Coleman (1981), O'Brien (1996), Dijk and Tseloni (2012), and Tonry (2016).
12 The Canadian finding is perhaps less alarming if one remembers that this is a categorization based on “inherent risk” rather than “mitigated risk.” The latter were never published.
13 For instance, see Masse et al. (2007) for an overview of the development of risk assessment methodologies by the US Department of Homeland Security for terrorism risks. Crevel et al. (2014) showed how risk assessments evolved for food allergens.

Early View

Online Version of Record before inclusion in an issue

National assessments of money laundering risks: Stumbling at the start

Abstract