Spanish Financial Watchdog Publishes Results of 2024 Review on Money Laundering Risk Assessments

Key Takeaways

• Reviewed Entities: The CNMV reviewed approximately 20 entities, including investment firms (IFs), collective investment schemes (CIS), AIF managers, and EU firm branches.
• Identified Deficiencies: Many entities were found to have deficiencies in their money laundering risk assessments, especially in practical application and reporting.
• Ongoing Oversight: The CNMV will factor these deficiencies into future supervisory activities as part of its expanded role in combating money laundering.

Deep Dive

Spain’s Comisión Nacional del Mercado de Valores (CNMV) has released the results of its 2024 review on how entities under its supervision assess risks related to money laundering. The review, conducted as part of Spain’s broader push to meet new European regulations, uncovered several shortcomings in the way entities approach money laundering risk assessments, calling attention to critical areas that require improvement.

The CNMV examined about 20 entities, including investment firms, collective investment schemes (CIS), AIF managers, and branches of EU firms, to evaluate their compliance with Spain’s stringent anti-money laundering (AML) laws. These entities were tasked with assessing and documenting their money laundering risks and updating these reports regularly, but the findings show that many have fallen short in their assessments, particularly when it comes to practical application.

The CNMV’s review shows that AML risk assessments aren’t simply about ticking off a list of regulatory requirements—they need to be comprehensive, practical, and constantly evolving to stay ahead of emerging risks. For professionals in this space, it's clear: detailed, actionable risk assessments are now more critical than ever.

The CNMV flagged several deficiencies during the review, which could have serious implications for future supervisory actions:

1. Risk Reports Need More Practical Insight: While most entities followed the Sepblac guidelines on internal controls for preventing money laundering, many reports failed to provide a real-world view of their business activities. Risk assessments should be an "x-ray" of the organization’s operations, allowing for the identification of risks and the development of effective prevention systems. This disconnect between theory and practice is a glaring issue that risk professionals need to address immediately.
2. Overlooking Third-Party Risk: For entities working with agents or third-party intermediaries, the CNMV pointed out that it’s not enough to simply report these relationships. Entities need to assess the risks these parties bring, specifying their roles and liabilities related to AML practices. Failure to do so leaves room for critical vulnerabilities.
3. Remote Onboarding Risk: Remote customer onboarding, while increasingly popular, can pose significant risks if not carefully managed. Few entities were found to be adequately assessing the risks involved in this practice, which remains a key area of concern for regulators.
4. Deposits and Withdrawals: While most entities don’t allow cash transactions, those that do should take a hard look at how this practice affects their money laundering risks. The CNMV’s review highlights that cash transactions inherently increase these risks, and entities need to adopt additional safeguards.
5. National and Supranational Risk Analyses: Shockingly, only a few entities considered national and supranational risk analyses—such as those from the Spanish Treasury or the European Banking Authority (EBA)—in their risk assessments. The CNMV’s review makes it clear that such analyses must be incorporated into risk strategies moving forward, especially as European regulations evolve in 2024.

The review aligns with the new European Regulation on Money Laundering Prevention set to come into effect in 2024, which further underscores the need for tighter and more proactive oversight. These regulations will require entities to implement stronger internal controls and to demonstrate a deeper understanding of the risks they face, particularly when it comes to third-party relationships, remote onboarding, and the handling of cash transactions.

The CNMV has already notified individual entities of the deficiencies and will closely monitor these areas in its future supervisory activities. Additionally, as Spain moves toward stricter AML regulations, those businesses that don’t take proactive steps to update their risk assessments will likely find themselves under more scrutiny.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.