AML risk assessment is a mandatory requirement for compliance programmes in many regions around the world and this is for a good reason. As reporting entities we have a responsibility to help prevent money laundering and done right, risk assessment can be an effective tool in your compliance armoury in helping identify, measure and prioritise the risk of criminal activity.
Risk assessment documents don’t necessarily have to be complicated, but they should be tailored to your company’s specific business activities and risks. Below we discuss the benefits and what to include in your risk assessment documentation.
What to think about when creating your AML risk assessment
Your risk assessment is a great place to start thinking about the risk that is specific to your business and the level of risk that your business is comfortable with. It may not sound that exciting but it really helps create a shift from looking at compliance through a rule-based lens to adopting the more robust risk-based approach. Having clearly written risk assessment guidelines will help stop the tick box process and instead provide you with processes to refer to when you are onboarding new clients or where risk rating needs to be checked.
- Figure out how you’re going to assess risk, what is your risk matrix and how are you going to make sure it is used consistently and remains current?
- Every business is different and might handle risk in different ways. For example, Company A may have complex interactions with international markets on a daily basis and Company B may only deal with the local market – you would expect these two companies risk assessment documents to look different.
- While risk assessment templates may help you structure your documentation, don’t use them blindly as they can lead to naivety on what risks exist for your individual business.
- Your risk assessment should focus not just on what your clients could do but your business as a whole.
You are likely going to refer to your risk assessment document when risk is elevated or the complexity of a situation has increased, so it is something worth taking the time to get right, and ensuring you understand what risk factors to look out for.
Identifying risk factors
For most businesses when looking at risk factors you should consider the following elements:
The nature of your business, the scale and complexity. If you are a large business with complex structures consider how some activity may be higher risk and how the nature of your business might provide the potential to hide or mask suspicious activity.
The location and types of clients you’re dealing with. Consider how the lack of face-to-face interactions with some clients and the use of intermediaries may expose your business to higher risk. Dealing with clients in countries with a less stringent AML regulations may expose you to further risks and high profile clients or politically exposed persons (PEPs) may also heighten the risk factor.
Transactions involved. High value, high volume or high velocity transactions are potentially higher risk and should be assessed appropriately.
Products or services offered. While a client may look low risk, they may be using a service you provide which has a potential high risk. For example, if you provide address services for the set up of a new business there is the potential to create anonymity which could be used to facilitate money laundering.
All the above factors should be taken into account when considering risk, alongside an understanding of the level of risk your business is willing to take. And, if you do assess a high risk client then don’t hesitate to run enhanced due diligence so you can apply an increased level of scrutiny to the situation.
Assessing the risk
When considering risk factors, remember all businesses are different and what might be a high-risk activity for one company may not be so risky for another company. It really depends on your business, your appetite for risk and capacity to deal with complex situations.
Consider the likely impact to your business and whether the risk is acceptable. After assessment you might decide that you take different approaches for different clients – those that you know and trust and those that you don’t have an established relationship with.
Whatever the outcome of your risk assessment, ensure you keep accurate records showing how you have assessed and recorded risk so you have the right information available when it comes to reviewing client situations and at audit time.
Reviewing your risk assessment documents
Risk assessments should be a living set of documents and processes, they should not be a set and forget. Best practice is to review your risk assessment annually, a good time to do it is when your annual report is due.
While it might seem like an additional burden to review your risk assessment it is an important part of your compliance programme. There may be a number of factors which have changed during any given year which could impact your level of risk, not just in your business but with clients and/or regulatory policy and you need to account for this. For example, earlier this year, New Zealand saw changes to AML requirements for accountants when dealing with tax transfer exemptions. Changes like these should prompt a review of an accountancy firms risk assessment.
Again, it doesn’t have to be a complex activity, just make sure it’s fit for purpose and done on a regular basis so you stay on top of things.
Risk assessments are an essential part of your AML compliance programme and are key to helping you understand the areas of your business which could be vulnerable to money laundering activity.
In addition, they will help you understand your client, the risk they may pose to your business and what action you may need to take to mitigate the risk.
If you’d like a little help getting your risk assessment documents audit ready, or need help creating the necessary policies and procedures just give us a call on +64 9 369 6867 or request more information from our experienced compliance team.