Section 4 of the Regulation on Sound Operational Management relating to the Act on the Supervision of Trust Offices (Regeling integere bedrijfsvoering Wet toezicht trustkantoren – Rib) stipulates that trust offices must perform regular analyses of their inherent integrity risks. This Q&A sets out why trust offices must carry out regular risk analyses, what exactly these analyses entail and how trust offices should prepare them.
Risk analysis: why, what and how
Why should trust offices carry out regular risk analyses?
It is essential that trust offices are aware of the integrity risks associated with their operational management in order to ensure - through adequate risk mitigation - sound operational management. Trust offices can identify these risks by carrying out a risk analysis and take appropriate mitigating measures. These measures should be appropriate for the specific risks applying to the trust office concerned.
The analysis forms the basis for the trust office's integrity policy and the ensuing internal procedures, processes and arrangements. The better the measures are aligned to the specific inherent risks, the better these risks can be mitigated. Carrying out a risk analysis creates awareness of the own organisation and its risks, encourages conscious reflection on the organisation's risk appetite and provides insight into how risks can be mitigated. Adequate risk analysis prevents the trust office from becoming involved in activities that are illegal or too risky.
What does a risk analysis entail?
Pursuant to Section 4 of the Rib, trust offices must carry out regular risk analyses of the integrity risks inherent to their operational management. This analysis serves to identify the risks at multiple levels. First of all it identifies the risks inherent to the trust office's organisational structure. For example, the outsourcing of certain activities, the organisation's remuneration structure or the staff's level of education may lead to risks for the trust office. In addition, it covers the various services the trust office provides, which involve different integrity risks. Finally, the analysis covers the clients and other parties the trust office conducts business with. For example, if the client portfolio mainly consists of high-risk clients, this increases the risks for the trust office. The risk analysis can provide better insight into how the trust office operates and deals with the risks associated with its operations.
The analysis forms the basis for any mitigating measures to be taken, and is therefore a crucial starting point for taking adequate action.
How should the trust office carry out a risk analysis?
The trust office's management board is responsible for carrying out the risk analysis. The management board must ensure that all relevant staff members - including the control functions - are involved in carrying out the analysis. In addition, the management board is responsible for ensuring that all staff members working for the trust office have read and understood the risk analysis.
Step 1: regular identification of relevant risks
The trust office documents the risk analysis and ensures that the risk analysis document is updated on a regular basis. In general, an annual revision is considered sufficient. However, in the event of significant changes in operational management, services, client portfolio or the regulatory framework earlier revision may be required. Geopolitical developments and associated sanctions may also be a reason for early revision of the risk analysis.
It is essential that the trust office looks at its own organisation from a broad perspective, to prevent blind spots from making the analysis incomplete. Engaging the services of a third party may help prevent blind spots from occurring.
The two components of the definition of 'integrity risk' in the Rib, i.e. non-compliance with statutory requirements and the trust office's involvement in improper conduct, may serve as a starting point for carrying out the risk analysis. Integrity risks arise whenever the trust office acts in breach of the letter or the spirit of the law, or in conflict with unwritten law. The trust office should consider all these risks in its risk analysis.
Examples of integrity risks that materialise as a result of non-compliance with statutory requirements are involvement in money laundering, corruption, ordinary criminal offences, conflicts of interests and non-compliance with sanctions regulations. In order to identify the risks related to operational management, the trust office should consider:
- its organisational structure;
- the countries in which it is active;
- its distribution channels;
- the nature of the services provided;
- the types of clients in its portfolio.
Below is a further explanation of these elements.
The trust office's organisational structure is relevant to the risk analysis. For example, full or partial outsourcing of activities to third parties may give rise to extra risks: the trust office may lose sight of the quality of performance of these activities. If the trust office staff members’ knowledge of integrity risks is insufficient, for instance as a result of improper training, they will not in all cases be able to identify and collect the right (i.e. relevant) information from clients or prospects in good time. As a final example we mention the risks arising from perverse incentives ensuing from remuneration structures.
The countries in which the trust office is active
A trust office that is active in various countries, or which has a significant number of clients in countries other than its home country, must consider the risks arising from these international activities in its risk analysis. For example, possible sanctions and their effects should be taken into account. A country's legal system is also an important indicator for determining the inherent risks of undertaking activities in that country .
The trust office's distribution channels
A trust office offering its services through intermediaries or using feeders must consider the inherent risks of these channels in its risk analysis.
The nature of the services provided
The risk analysis must also address the nature of services provided by the trust office. Some trust offices explicitly do not offer domiciliation services because of the limited information position, which makes it very difficult to maintain a current overview of the activities and risks associated with services to the object company or the ultimate beneficial owner (UBO). These trust offices only provide a registered address if they also deliver management services and are responsible for the company's accounting.
The types of clients in the trust office's portfolio
A trust office must consider in its risk analysis the inherent risks resulting from attracting certain types of clients with its services. These risks may relate to natural as well as legal persons. This may for example concern services that attract a relatively large number of PEPs from countries scoring high on the Corruption Perception Index. Another example is a relatively large group of clients served through an intermediary or feeder. A third example is serving clients that are legal persons rather than natural persons. The trust office must consider the risks that are inherent to service provision to certain limited partnership structures and object companies performing operational activities abroad.
Please note that the risk analysis is not concerned with individual clients' risk profiles, but with the risks resulting from serving certain groups of clients and/or maintaining business relationships with these groups.
Step 2: analysing the likeliness of materialisation and impact of risks
Following identification of the inherent risks to operational management, the trust office should estimate the likeliness of materialisation for each of these risks, as well as the impact of such materialisation on the trust office's operations. Note that this concerns two different elements: the likeliness of a certain risk materialising may be small, but the impact of actual materialisation of this risk may be high.
The trust office should consider for each risk whether it is acceptable and how it should be mitigated.
Step 3: sound operational management
On the basis of the risk analysis, the trust office determines what mitigating measures to take at the level of its operational management. A client portfolio with a relatively high inherent risk may prompt the trust office to strengthen its customer due diligence and monitoring procedures, with an important role for the organisation's second-line control function. Most mitigating measures taken will therefore relate to the organisational structure, i.e. the trust office's governance.
If the risk analysis reveals unacceptable risks, the trust office may decide to discontinue certain services or no longer offer services to certain types of clients.
Step 4 monitoring and revising risks
Following implementation of the control measures, the trust office must periodically assess whether they are adequate and to what extent the risks are actually mitigated. The results of this monitoring process serve as a basis for the regular risk analysis revision and may prompt the trust office to review the measures.
The Rib is not the only regulation with a systematic risk analysis requirement: the Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en het financieren van terrorisme – Wwft) contains a similar requirement, which also applies to trust offices. Section 3 of the DNB Guidance document on the Anti-Money Laundering and Anti-Terrorist Financing Act and the Sanctions Act (DNB Leidraad Wwft en SW) contains a description of how these institutions should perform the required systematic risk analysis, similar to this Q&A.
 See for example Transparency International's Corrruption Perception Index