What are the fundamentals of an AML Risk Assessment?
This article discusses why an AML risk assessment is the corner stone of an AML/CFT compliance framework.
Increasingly governments across the globe are requiring their industries to undertake an AML risk assessment. The AML risk assessment has the purpose of measuring the likelihood that a business will be used to unwittingly facilitate money laundering or financing of terrorism. Regulators agree specific areas within a business either increase or decrease the risk. In risk management terminology these are known as Key Risk Indicators (KRIs). These KRIs, as they relate to ML/FT risks, are described below: .
AML Risk - Nature, Size and Complexity
The ‘nature, size and complexity’ refers to the uniqueness of a business and include (a) the types of products and services that it distributes; (b) whether the business has a complex structure of management and ownership; (c) the number of branches or locations that it operates from; (d) the geographic locations of its business operations; (e) the types of clients it targets and (f) the number of staff that it has, whether employees or contractors.
The more complex a business is or the larger the size of its staff and locations, the more important it is to ensure good governance is operating throughout. The AML risk assessment should therefore note that senior managers must operate with a top-down approach. This will ensure a healthy compliance culture is present.
Staff are considered the first defence of preventing money laundering. Their importance therefore of protecting brand and reputation is invaluable.
Staff should have good knowledge of AML policies, procedures and controls and training that occurs on at least an annual basis.
AML Risk - Products and Services
The evaluation of products and services in the AML risk assessment is an important component for the overall AML/CFT framework. Professional launderers will shop for a business providing products and services that offer certain elements. These elements include (a) obscurity of ownership, (b) pooling of funds, (c) high liquidity, (d) accessed from offshore, (e) high value, (f) low value but high volume.
Your AML Compliance Officer should be involved in the assessment of products and services risk – as far as the vulnerabilities to facilitating a financial crime.
A product / services risk register should be maintained, providing a risk rating for each. This will assist the business at time of an AML supervisor onsite inspection or when undertaking an AML/CFT audit. A risk register is an easy way to evidence that the business is focussed on evaluating risk and using data to apply ongoing due diligence.
The AML risk assessment should note when a client is risk profiled the types of products and services they are accessing should be included in the profile. The more higher risk products that a client is transacting with, the higher the client risk score. This means the business needs to apply greater resourcing to ongoing due diligence to their higher risk clients.
AML Risk - Clients
The client presents the greatest risk to a business unwittingly facilitating money laundering or financing of terrorism. This is because if the client has no intention of carrying out financial crime, then the risk is significantly reduced – although not completely eliminated.
Client profiling is therefore essential. Without the ability to know the risk level that a client presents, a business is walking blind when trying to managing ML/FT risk.
Factors that your AML risk assessment should include as increasing client risk should incorporate: (a) domiciled offshore, (b) domiciled in a higher risk country, (c) operates a cash intensive business, (d) operates a business providing financial products and services to its own clients, (e) high net worth, (f) high value transactions or low value and high volume.
A high risk profile does not mean that a business should not carry out business activity with that client. What it does mean is that the business should pay greater attention to the activity that the client is undertaking by monitoring for suspicious or unusual patterns.
When monitoring is carried out, businesses should ensure they are keeping records of what types of matters they are monitoring for and whether any unusual activity has been escalated for further action / determination.
Not having these basic types of procedures in place will cause material issues at time of the independent AML audit.
AML Risks - Method of Delivery
Method of delivery refers to the process that your business uses to onboard a client, as well as the processes used for ongoing communications / interactions with the clients. If the onboarding and ongoing contact is non face-to-face, the risks are higher. This is because it becomes more difficult to be certain the client is who they say they are.
There are various levels of carrying out electronic identity verification. The most common is entering in the client’s passport page code to confirm the passport is valid. However, without a facial profile of the person (the client) that is presenting the passport, these types of checks do not confirm it is the holder of the passport that is presenting the record. Facial recognition software commonly has the client capture an image of their face and then capture an image of the passport page on which their photo profile displays. Biometric software can then carry out various tests to confirm that the image captured of the client is ‘live’, therefore not a photo and that when compared to the profile image on the passport page, both match (or do not match, whatever the circumstances might be).
The higher the risk profile of a client, the greater then need to strengthen the method of verifying that the client is who they say they are. If the client does in fact have intentions to carry out a financial crime and they get past this first post, it becomes more difficult to identify their activity as suspicious.
AML Risks - Geography
Some countries present greater risk to facilitating money laundering due to their lack of law enforcement, high level of corruption or lack of adequate money laundering / financing of terrorism laws. Businesses must therefore ensure they use reliable risk data to profile countries that their businesses transacts with, as well as compare risk data against countries that their clients are domiciled in or have a business relationship with.
Guidelines from the Financial Markets Authority
The Financial Markets Authority supervises the following business types: Derivative Issuers, Brokers and Custodians, Equity Crowdfunding Platforms, Financial Advisers, Management Investment Scheme Managers, Peer-to-Peer Lending, Discretionary Investment Management Services, Licensed Supervisors and Issuers of Securities. The key findings in its 2017 sector AML risk assessment are shown below:
Here are some key points that the FMA highlights in its most recent sector risk assessment:
“In our monitoring, we will look to see if you considered the SRA content, and then factored it into your risk assessment, as required by section 58(2)(g) of the Act”
“Many believe the offence of ML requires cash to be put into the financial system. However, depending on the stage of the process (placement, layering or integration) the proceeds of crime are often already in electronic form. Examples of this would be market manipulation, tax evasion and fraud.”
“The sectors we supervise are most likely used in the layering and integration stages of ML.”
“The sectors we supervise are generally expected to be the target of more sophisticated money launderers. These criminals are often familiar with capital markets and their products, involved in elaborate fraud or could be employees of financial institutions. Even though the criminal offending is more elaborate in these cases, the illegally-obtained funds still require layering to appear legitimate.”
Guidelines from the Department of Internal Affairs
The Department of Internal Affairs (DIA) supervises the following business types: money remittance, trust and company service providers, currency exchange, payment provider, casinos, non-bank non-deposit taking lender, non-bank credit cards, stored value cards, tax pooling, cash transport, debt collection, factoring, financial leasing, payroll remittance and safe deposit boxes. The key findings of its 2018 sector AML risk assessment are shown below:
Some key statements from the DIA sector risk assessments are as follows:
“DIA encourage reporting entities to access international AML/CFT guidance, in particular the material produced by the FATF, APG and the Australian Transaction Reports and Analysis Centre (AUSTRAC – the organisation responsible for AML/CFT in Australia).”
“A risk-based regime recognises that there can never be a zero-risk situation, and reporting entities should determine the level of ML/TF exposure they can tolerate. This is not a legislative requirement but may help reporting entities in their risk management.”
“Cash continues to be an easy and versatile method of transferring value. This includes the use of money mules, cash couriers and bulk movements. Also, the purchase of high-value goods with cash is an easy method of transferring value and disguising/concealing the proceeds of crime. Cashintensive businesses, where its use is considered normal, lend themselves to all phases of ML. Customers that use cash or highly liquid commodities (including casino chips) present a significant risk of ML/TF.”
“Not being able to recognise ML/TF is a significant vulnerability that leaves a reporting entity open to misuse for ML/TF. Reporting entities need to promote an AML/CFT culture and increase and develop their knowledge of the ML/TF environment.”