The risk assessment of AML/CTF forms the basis of applying the risk-based approach in any organization. Performing the risk assessment of AML/CTF enables an organization to understand how and to what extent it is vulnerable to money laundering and terrorist financing. Usually, the risk assessment of AML/CTF will result in a categorization of risk, which will help organizations to determine the level of anti-money laundering resources necessary to mitigate that risk. It should always be properly documented, maintained, and communicated to relevant personnel within a given organization.
Risk Assessment Of AML/CTF
An organization’s risk assessment does not necessarily have to be overly complex but should be in line with the nature and size of the organization, its business model, and related products and services.
For smaller or less complex organizations, or even small financial institutions and banks, a very basic or rather simple risk assessment might suffice. For example, this might be the case for a small bank, where the bank’s customers fall into similar categories or where the range of products and services the bank offers is very limited. On the other hand, where the bank’s products and services are more complex, where there are multiple subsidiaries or branches offering a wide variety of products, or their customer base is more diverse, a more sophisticated risk assessment process will be required.
Factors To Assess Money Laundering Risk
For identifying and assessing the money laundering risk to which organizations are exposed, banks should consider a range of factors which should include the following:
The nature, scale, diversity, and complexity of their business
The organization’s target markets
The number of customers already identified as high risk
The jurisdictions the organization is exposed to, either through its own activities or the activities of customers, especially jurisdictions with relatively higher levels of corruption or organized crime, or deficient country-level anti-money laundering measures
The distribution channels, including the extent to which the organization deals directly with the customer or the extent to which it relies on third parties to perform AML measures
The internal audit and regulatory findings
The volume and size of its business activities such as transactions, considering the usual activity of the organization and the profile of its customers.
Relevant Internal And External Sources
Organizations should complement this information with information obtained from relevant internal and external sources, such as heads of business, relationship managers, national risk assessments, lists issued by inter-governmental international organizations and national governments, as well as commonly known money laundering typologies. Organizations should also review their assessment periodically, for example, on an annual basis, and in any case when their circumstances change or relevant new threats emerge.
The risk assessment should be approved by senior management and form the basis for the development of policies and procedures to mitigate the money laundering risk, reflecting the risk appetite of the organization and stating the risk level deemed acceptable. In this regard, an organization should also make sure that policies, procedures, measures, and controls to mitigate the money laundering risks should be consistent with the risk assessment.
Reviewing The Risk Assessment Of AML/CTF
The risk assessment methodology you use must be adaptable enough to respond to changes in your risk level. You must always assess the ML/TF risk of any new service or process before offering it to customers to ensure that your risk assessment is up to date. This includes the following:
new specialized services
new methods of providing existing designated services
utilizing new technologies to provide specific services
collaborating with a new jurisdiction
You must also reassess your level of risk when your customers’ circumstances change. They are as follows:
a shift in the nature of your commercial relationship with a customer
The beneficial owner of the customer changes.
alterations to the corporate structure or other control structures of a customer
Practical Challenges In Conducting The Risk Assessment Of AML/CTF
We have observed the following challenges when performing ML/TF risk assessments as a result of our work assisting reporting entities with their ML/TF risk assessments:
Planning and allocating resources: Conducting ML/TF risk assessments can be time-consuming and resource-intensive, especially when gathering information from business stakeholders, systems, and databases. Reporting entities may lack dedicated resources, or key personnel may lack the capacity to conduct regular and comprehensive ML/TF risk assessments. Furthermore, short completion timeframes or other business priorities may have an impact on the quality of ML/TF risk assessments (e.g. business-as-usual activities or strategic initiatives).
Methodology development: Reporting entities may encounter challenges in developing an in-house ML/TF risk assessment methodology that provides a comprehensive and relevant view of their ML/TF risk exposure. When using “off-the-shelf” ML/TF risk assessment solutions, reporting entities must demonstrate their understanding of the solutions’ inputs, underlying methodology, and outputs.
Furthermore, an ML/TF risk assessment methodology should include a mix of quantitative and qualitative risk attributes in order to provide a more meaningful and holistic assessment of ML/TF risk.
Engaging key stakeholders: A sufficient level of engagement with business stakeholders is required to ensure that an ML/TF risk assessment accurately captures business-specific ML/TF risk. However, identifying stakeholders within each business area who have an appropriate level of knowledge across the risk factors may be difficult. Furthermore, a lack of AML/CTF knowledge within the business may impede the reporting entity’s ability to truly understand the level of ML/TF risk present in its various business areas.
While using quantitative data in an ML/TF risk assessment promotes an objective and consistent risk assessment approach, reporting entities face common challenges in gathering meaningful data that is reliable, accurate, complete, and consistently available across the entire business.
After determining the level of inherent ML/TF risk that a reporting entity faces, the inclusion of a controls assessment within the risk assessment methodology allows reporting entities to determine their residual ML/TF risk exposure. Incorporating a controls assessment, on the other hand, may be difficult if controls are not centrally maintained or accurately captured. Furthermore, the lack of a control effectiveness assessment limits a reporting entity’s ability to consider their control environment in the context of their ML/TF risk assessment.
Timeliness: A common challenge for reporting entities is determining the appropriate timing and frequency for performing an ML/TF risk assessment. The insights gained from ML/TF risk assessments must be accurate and relevant in order to help senior management make informed decisions about ML/TF risk management. As a result, the information and data used in ML/TF risk assessments must be up to date and reliable. Furthermore, prior to performing an EWRA, the underlying risk assessments (customer, product, channel, and jurisdiction risk assessments) should be performed to ensure that the inputs used in the EWRA are accurate and up to date.
Final Thoughts
Identifying and assessing the level of money laundering and terrorist financing (ML/TF) risk to your company or organization is a critical component of your AML/CTF program. It is the first step because it determines which measures should be included in your program.
Assessing the ML/TF risk that your company or organization faces allows you to create an AML/CTF program with appropriate safeguards to keep your company or organization from being exploited by criminals. Once you’ve identified the risks, you’ll need to put controls in place to mitigate and manage them. More information on risk mitigation and risk management can be found in the risk management process section.