As part of any AML compliance regime, the first step is to do an assessment of the risk associated with the business according to regulatory requirements. The Risk Assessment, or RA, takes into account a large scope of the business and relies on value judgments for each. This includes, but is not limited to, products, services, delivery channels, geography, operations, training, suspicious monitoring, record keeping and reporting. this includes having a program in place for any agents or third parties who are part of the value chain in the financial transaction.
On a global scale, the Financial Action Task Force (FATF) has recommended that a RAs should be conducted before the launch of any new business venture. Be that a new delivery channel, product/service, geographic location, etc. The RA “should take the appropriate measure to manage and mitigate those risks.” –FATF
In the US, the FinCen MSB Exam Manual indicates that one should “identify and assess the money laundering risks that may be associated with its unique combination of products, services, customers, geographic locations, etc.” Further it goes on to state that the focus should be on those “areas of its business that management believes pose the greater risks.”
In Canada, FINTRAC “expects a well-developed, documented and justifiable Risked Based Approach process that appropriately identifies, rates and mitigates the risks to a given entity.” It includes all the same risk areas as laid out by FATF, in this respect, it mirrors the FinCen guidance. The nuance here is that FINTRAC splits up risk into Inherent Risks and Residual Risk. This means, a business must take actions to mitigate the initial risk of a business venture and continue to manage ongoing risk afterwards.
The same regulations, guidance, and expectations resonate with every one of the FATF G38 member counties as well as many of the 184 observing members. This shows that The regulators are acknowledging that a RA provides the basis for understanding the risks and how and where to allocate resources to mitigating the largest risks first.
Identifying the risks
The FATF recommendations show that certain risks apply across the board. There is no one size fits all approach to determined AML risks. Rather, it offers a road map to plot a course, all the while reminding the business that this is not an exhaustive list of risks, and there may be some that are unique to new industries. Area’s that should be considered are;
Product Risk – depending on the product, there will be inherent risk related anonymity, handling of large sums of cash or equivalent, as well as residual risks related to ongoing monitoring, reporting, and record keeping requirements.
Customer Risk – relates to all aspects of the customer relationship including but not limited to inherent and residual risks related Know Your Customer responsibilities like sanctions and PEP screening, method of payment, geographic considerations, transaction size and frequency, occupation, etc.
Geographic Risk – identifies location internationally where there may be a high risk of criminal activity, money laundering, terrorist financing, or sanctions. Domestic geographic risk should also be taken into account specifically relating to any manner of a predicated criminal offense.
Operational Risk – relates to the procedures and controls in place like having limits in place, transaction monitoring, amount of employee turnover, record keeping capabilities, senior management buy in, and appropriate training for all staff and agents.
Agent Risk – relates to the types of activities that an agent does when acting on behalf of the business. This can be as simple handling of transaction to a comprehensive and robust AML regime.
Each of the components in the risks identified should be bucketed into high, medium, and low risk based on the potential impact it would have on the business in the event a violation is discovered by a regulator, or worse, law enforcement. This self assessment should consider these risks accordingly and ensure there is a suitable mitigating control.
Mitigating Controls
Going back once again to FATF, a mitigating control, or “countermeasures” as referenced in Recommendation 19, covers 9 broad ways of mitigating risks. These include everything from assessing when Enhance Due Diligence is required, to appropriate reporting and record keeping, to limiting or even prohibiting certain aspects of the business, to 3rd party determination, and on and on. Suffice to say, it is recommended that each risk that is deemed high and even sometimes medium, should have the adequate countermeasure to dealing with ML/TF.
A business must take care though to ensure that not everything is deemed medium or low risk with no underlying high risks. This is a tell-tale sign to the regulator that the AML regime put in place by the business may not have adequately assessed the risks. In these cases, regulators have been known to insist that the bar be raised and that all medium risks be considered high risks and that appropriate mitigating controls be put in place.
Overall Risk
Once the business has decided to undertake a proper RA, it will become clear that the line of business engaged in can be categorized as high, medium or low risk. This in turn will set out the amount of resource to expend on the AML regime that should warrant a successful examination if properly implemented and managed.
Developing a Risk Assessment
As stated earlier, each of the FATF G38 regulatory bodies has its own nuances but typically follows those laid out in their guidance and as summarized above. Many provide free toolkits, guidance, spreadsheets and relevant documentation for ensuring a proper RA is done. Most are very text heavy and rudimentary, that to quickly be able to produce a well-thought-out and structure RA would require more than a just a RA course.
Start with a template
KYC2020 has created a FREE AML Risk Assessment tool that guides the novice to expert on the various risks as identified by FATF, FinCen, FINTRAC, and others. The RA tool has taken it to the next level by providing a framework and identified sample risks for each of the key areas outlined above. This can take the guessing out of starting from scratch. For example, depending on the business type, there may or may not be agents, cash may not be a choice, or for the newest entrants, virtual currency where its mostly pseudonymous. If a particular risk is not there, the RA tool provides the ability to add them at will.
At the end of the exercise, a RA report is provided which then can be used as the basis of an AML compliance regime. Additional paid options are available like personalized branded reports, AML specialists to assist or consult with on AML Compliance solutions, or custom requirements to further assist in the complete AML life cycle. Try it today here!
