xmlns:atom="http://www.w3.org/2005/Atom"

CHAPTER I GENERAL PROVISIONS

SECTION 2 Risk assessment

Article 6

1.The Commission shall conduct an assessment of the risks of money laundering and terrorist financing affecting the internal market and relating to cross-border activities.

To that end, the Commission shall, by 26 June 2017, draw up a report identifying, analysing and evaluating those risks at Union level. Thereafter, the Commission shall update its report every two years, or more frequently if appropriate.

2.The report referred to in paragraph 1 shall cover at least the following:

(a)the areas of the internal market that are at greatest risk;

(b)the risks associated with each relevant sector;

(c)the most widespread means used by criminals by which to launder illicit proceeds.

3.The Commission shall make the report referred to in paragraph 1 available to the Member States and obliged entities in order to assist them to identify, understand, manage and mitigate the risk of money laundering and terrorist financing, and to allow other stakeholders, including national legislators, the European Parliament, the ESAs, and representatives from FIUs to better understand the risks.

4.The Commission shall make recommendations to Member States on the measures suitable for addressing the identified risks. In the event that Member States decide not to apply any of the recommendations in their national AML/CFT regimes, they shall notify the Commission thereof and provide a justification for such a decision.

5.By 26 December 2016, the ESAs, through the Joint Committee, shall issue an opinion on the risks of money laundering and terrorist financing affecting the Union's financial sector (the ‘joint opinion’). Thereafter, the ESAs, through the Joint Committee, shall issue an opinion every two years.

6.In conducting the assessment referred to in paragraph 1, the Commission shall organise the work at Union level, shall take into account the joint opinions referred to in paragraph 5 and shall involve the Member States' experts in the area of AML/CFT, representatives from FIUs and other Union level bodies where appropriate. The Commission shall make the joint opinions available to the Member States and obliged entities in order to assist them to identify, manage and mitigate the risk of money laundering and terrorist financing.

7.Every two years, or more frequently if appropriate, the Commission shall submit a report to the European Parliament and to the Council on the findings resulting from the regular risk assessments and the action taken based on those findings.

Article 7

1.Each Member State shall take appropriate steps to identify, assess, understand and mitigate the risks of money laundering and terrorist financing affecting it, as well as any data protection concerns in that regard. It shall keep that risk assessment up to date.

2.Each Member State shall designate an authority or establish a mechanism by which to coordinate the national response to the risks referred to in paragraph 1. The identity of that authority or the description of the mechanism shall be notified to the Commission, the ESAs, and other Member States.

3.In carrying out the risk assessments referred to in paragraph 1 of this Article, Member States shall make use of the findings of the report referred to in Article 6(1).

4.As regards the risk assessment referred to in paragraph 1, each Member State shall:

(a)use it to improve its AML/CFT regime, in particular by identifying any areas where obliged entities are to apply enhanced measures and, where appropriate, specifying the measures to be taken;

(b)identify, where appropriate, sectors or areas of lower or greater risk of money laundering and terrorist financing;

(c)use it to assist it in the allocation and prioritisation of resources to combat money laundering and terrorist financing;

(d)use it to ensure that appropriate rules are drawn up for each sector or area, in accordance with the risks of money laundering and terrorist financing;

(e)make appropriate information available promptly to obliged entities to facilitate the carrying out of their own money laundering and terrorist financing risk assessments.

5.Member States shall make the results of their risk assessments available to the Commission, the ESAs and the other Member States.

Article 8

1.Member States shall ensure that obliged entities take appropriate steps to identify and assess the risks of money laundering and terrorist financing, taking into account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or delivery channels. Those steps shall be proportionate to the nature and size of the obliged entities.

2.The risk assessments referred to in paragraph 1 shall be documented, kept up-to-date and made available to the relevant competent authorities and self-regulatory bodies concerned. Competent authorities may decide that individual documented risk assessments are not required where the specific risks inherent in the sector are clear and understood.

3.Member States shall ensure that obliged entities have in place policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified at the level of the Union, the Member State and the obliged entity. Those policies, controls and procedures shall be proportionate to the nature and size of the obliged entities.

4.The policies, controls and procedures referred to in paragraph 3 shall include:

(a)the development of internal policies, controls and procedures, including model risk management practices, customer due diligence, reporting, record-keeping, internal control, compliance management including, where appropriate with regard to the size and nature of the business, the appointment of a compliance officer at management level, and employee screening;

(b)where appropriate with regard to the size and nature of the business, an independent audit function to test the internal policies, controls and procedures referred to in point (a).

5.Member States shall require obliged entities to obtain approval from their senior management for the policies, controls and procedures that they put in place and to monitor and enhance the measures taken, where appropriate.