All financial services firms in the UK are required to carry out risk assessments for Anti-Money Laundering (AML) and Countering Terrorist Financing (CTF). Yet a survey of AML audits reveals that some firms do not have risk assessments, and many that do, fail to record the rationale they adopted when arriving at their risk assessment.
Effective AML and CTF risk assessments are not rocket science. I have spent a material portion of my career in senior AML roles in banks, as a Money Laundering Reporting Officer in a regulatory compliance function, and more recently at fscom advising companies on AML and CTF risk management. Based on these experiences, I recommend four simple steps that companies should follow to develop a best practice AML and CTF regime, that reflects your firm’s risk and importantly, is also proportionate.
In this blog, I will summarise these steps, and you can watch the full webinar here.
Why risk assessments matter
Firstly, why should you do an AML and CTF risk assessment? Well, it’s required by section 8 of the UK’s 2017 Money Laundering Regulations (MLR). This states: “A relevant person must take appropriate steps to identify and assess the risk of money laundering and terrorist financing to which its business is subject”.
There are two subsections of these rules that are important but often get overlooked:
This regulatory driver is important, but there is another good reason for companies to do a risk assessment. Money launderers and terrorist financiers test and probe to find financial service providers whose onboarding processes are more lax, and avoid those with strong procedures. So effective AML and CTF compliance reduces your risk of being targeted by money launderers and those trying to fund terrorism.
Step one: Defining inherent risk
The first step in a risk assessment is to understand and identify the inherent risks facing your firm. These will vary according to the firm’s size, range of products and services, customer base and where it operates. When I work with firms, I encourage them to capture their risks into the following broad groupings:
You then need to take your long list of risks and assess which carry the highest risk for your company. To decide whether each risk is high, medium, or low, you should consider:
Plotting each risk as red, amber, or green on an Excel spreadsheet will give you clear view of the relative risks.
That lets you easily pick out the most pressing risks that are proportionate to your business.
Step two: Tackling these risks
On occasions, having evaluated the inherent risks, firms will identify that some form of corrective action is required to remedy a highlighted shortfall in a procedure and / or control. Recording these on the firm’s AML & CTF risk assessment ensures they get visibility, and additionally any corrective actions can be tracked through to completion.
The next key task is for the firm to identify what controls are proportionate to bring the identified inherent risk down to a residual risk level that aligns to the firm’s AML & CTF risk appetite. Sometimes, it might be one control or a mix of controls that are required. The acid test for the controls is do they alleviate the probability of the risk happening, reduce any impact and ultimately see the risk rating reduce to an acceptable risk level for the firm.
Another really valuable stage at this point is the creation of Key Risk Indicators (KRIs). This is a great tool for a firm to draft and monitor performance against. A firm’s performance against its KRIs should be a component that is captured in regular AML & CTF Management Information.
Step three: Test and review
It is not enough to implement what you think are the right AML and CTF controls, but firms should also monitor and test them regularly. Testing should ideally be undertaken by someone with a degree of independence from the risk areas and use proportionate sampling.
22% of attendees at our recent webinar thought it constituted a crisis for a company if testing shows a control has failed. However, the importance of knowing that a control has failed is that it is preferable to know you have an issue so you can figure out how to resolve it, as opposed to be unaware or become aware of a control fail when it is too late to deploy corrective actions
Testing should be done regularly, especially when the risk is higher. Companies’ sizes and services change over time – the level of risk does not stand still so nor should your testing and monitoring.
A good example of undertaking a practical monitoring test on controls would be a firm wants its exposure to high-risk clients to be less than 15% of its client base, regular monitoring will identify when the proportion reaches 12% and onboarding of high-risk clients can be halted, thus respecting a KRI for that firm.
Step four: Share your findings
Compliance teams should share risk assessments and audits with senior management and seek their buy-in. A Money Laundering Reporting Officer must escalate risk management information, seek approval for risk assessments and decisions, and ensure the Board and executive team understand the risks the firm face and can act when appropriate.
All of this is simply practical and effective compliance. But it is worth investing time in the process. It makes it more likely that you will capture the relevant risks, put in place the right controls, and be better positioned to give your board and regulators assurance.
More guidance on this process can be found in our previous blogs. If you would like further advice on how to improve your company’s management of AML and CTF risks, please do not hesitate to get in touch.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
