Best Practice Guidance for AML and CTF risk assessments

Share this post

All financial services firms in the UK are required to carry out risk assessments for Anti-Money Laundering (AML) and Countering Terrorist Financing (CTF). Yet a survey of AML audits reveals that some firms do not have risk assessments, and many that do, fail to record the rationale they adopted when arriving at their risk assessment.

Effective AML and CTF risk assessments are not rocket science. I have spent a material portion of my career in senior AML roles in banks, as a Money Laundering Reporting Officer in a regulatory compliance function, and more recently at fscom advising companies on AML and CTF risk management. Based on these experiences, I recommend four simple steps that companies should follow to develop a best practice AML and CTF regime, that reflects your firm’s risk and importantly, is also proportionate.

In this blog, I will summarise these steps, and you can watch the full webinar here.


Why risk assessments matter

Firstly, why should you do an AML and CTF risk assessment? Well, it’s required by section 8 of the UK’s 2017 Money Laundering Regulations (MLR). This states: “A relevant person must take appropriate steps to identify and assess the risk of money laundering and terrorist financing to which its business is subject”.

There are two subsections of these rules that are important but often get overlooked:

  • MLR 18, subsection 6 says companies must retain “the information on which that risk assessment is based” so they can show their rationale for a decision to auditors if required.
  • MLR 17, subsection 3 (e) requires “the monitoring and management of compliance with and the internal communication of such policies, controls and procedures”.

This regulatory driver is important, but there is another good reason for companies to do a risk assessment. Money launderers and terrorist financiers test and probe to find financial service providers whose onboarding processes are more lax, and avoid those with strong procedures. So effective AML and CTF compliance reduces your risk of being targeted by money launderers and those trying to fund terrorism.


Step one: Defining inherent risk

The first step in a risk assessment is to understand and identify the inherent risks facing your firm. These will vary according to the firm’s size, range of products and services, customer base and where it operates. When I work with firms, I encourage them to capture their risks into the following broad groupings:

  • Oversight and governance
  • Financial crime training
  • Transactional risk
  • Management information
  • Product risk review
  • Suspicious activity reporting
  • Client risk assessment

You then need to take your long list of risks and assess which carry the highest risk for your company. To decide whether each risk is high, medium, or low, you should consider:

  • The probability of the risk happening
  • The impact it would have
  • The risk of a breach of legislation or regulation
  • The impact on your reputation
  • The likely extent of financial loss
  • The value of any potential funds laundered

Plotting each risk as red, amber, or green on an Excel spreadsheet will give you clear view of the relative risks.

That lets you easily pick out the most pressing risks that are proportionate to your business.


Step two: Tackling these risks

On occasions, having evaluated the inherent risks, firms will identify that some form of corrective action is required to remedy a highlighted shortfall in a procedure and / or control. Recording these on the firm’s AML & CTF risk assessment ensures they get visibility, and additionally any corrective actions can be tracked through to completion.

The next key task is for the firm to identify what controls are proportionate to bring the identified inherent risk down to a residual risk level that aligns to the firm’s AML & CTF risk appetite. Sometimes, it might be one control or a mix of controls that are required. The acid test for the controls is do they alleviate the probability of the risk happening, reduce any impact and ultimately see the risk rating reduce to an acceptable risk level for the firm.

Another really valuable stage at this point is the creation of Key Risk Indicators (KRIs). This is a great tool for a firm to draft and monitor performance against. A firm’s performance against its KRIs should be a component that is captured in regular AML & CTF Management Information.


Step three: Test and review

It is not enough to implement what you think are the right AML and CTF controls, but firms should also monitor and test them regularly. Testing should ideally be undertaken  by someone with a degree of independence from the risk areas and use proportionate sampling.

22% of attendees at our recent webinar thought it constituted a crisis for a company if testing shows a control has failed. However, the importance of knowing that a control has failed is that  it is preferable  to know you have an issue so you can figure out how to resolve it, as opposed to be unaware or become aware of a control fail  when it is too late to deploy corrective actions

Testing should be done regularly, especially when the risk is higher. Companies’ sizes and services change over time – the level of risk does not stand still so nor should your testing and monitoring.

A good example of undertaking a practical monitoring test on controls would be a firm wants its exposure to high-risk clients to be less than 15% of its client base, regular monitoring will identify when the proportion reaches 12% and onboarding of high-risk clients can be halted, thus respecting a KRI for that firm.


Step four: Share your findings

Compliance teams should share risk assessments and audits with senior management and seek their buy-in. A Money Laundering Reporting Officer must escalate risk management information, seek approval for risk assessments and decisions, and ensure the Board and executive team understand the risks the firm face and can act when appropriate.

All of this is simply practical and effective compliance. But it is worth investing time in the process. It makes it more likely that you will capture the relevant risks, put in place the right controls, and be better positioned to give your board and regulators assurance.

More guidance on this process can be found in our previous blogs. If you would like further advice on how to improve your company’s management of AML and CTF risks, please do not hesitate to get in touch.

Article by FScom

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?