The 3-step risk-based approach to AML
Governments have instituted Anti-money Laundering and Counter-terrorism Financing (AML/CTF) regimes to combat this cycle. The consequences for perpetrators include severe fines and imprisonment. A risk-based approach (RBA) to AML/CTF is central to implementing rules effectively, and it involves a three-step process:
The RBA requires AML-regulated individuals and entities to identify, assess, and mitigate ML/TF risks to which they are exposed. This approach allows for the allocation of resources to higher-risk areas.
1. Risk identification
AML-regulated individuals and entities need to identify potential ML/TF risks to ensure effective targeting of resources.
It is important to remain informed about the mechanisms commonly employed by ML/TF perpetrators and how these may affect your business and the sector in which you work.
It is also imperative that you document everything, including your thought processes. Identifying risk is not a one-off process – it is simply a snapshot of the situation. As information constantly changes, it should always be updated to remain relevant.
Finally, identifying risk should never be a 'check-box' exercise. However, several starting points may make risk identification (and subsequent assessment and mitigation) of ML/TF practices easier.
For instance, breaking the process down into separate questions:
a. Does the customer pose a higher level of risk?
The first thing to assess is whether the customer is who they say they are.
Ideally, you would meet the customer in person, check their government-issued photographic ID and proof of address and ensure that this aligns with your understanding of the customer.
Identification is just the first step in knowing your customer. The next thing to establish is whether the customer is a politically exposed person (PEP). A PEP is someone who holds or acts in a prominent public position that they could abuse for personal gain or commit other serious crimes, such as bribery and corruption.
Be aware that dealings with PEPs are not necessarily banned but deemed to involve higher risk.
If the customer is a business entity:
- it's important to understand who ultimately controls or benefits from their activities
- it may be necessary to cross-reference any information on file with records kept at Company's House and other beneficial ownership registers
Whether the customer is an individual or an entity, it is necessary to check if they are associated with people on a recognised sanctions list and/or the subject of negative publicity.
It is also important to use the 'who is the customer?' process to establish the business rationale of the customer, as this will help down the line.
At this stage of the process, it might be worth determining the customer's source of wealth. However, this determination is only necessary if a few red flags pop up or the customer poses a higher risk.
b. How risky is the service you are providing?
When assessing the risk associated with a service, it's important to ask, 'why has the customer decided to come to us?'. Is this a service your company normally provides, and are you sufficiently skilled?
Certain sectors pose higher risks, and it is important to be aware of whether your sector falls into this category. Generally speaking, the sector's levels of transparency and anonymity correlate with risk.
The National Risk Assessment includes many higher-risk services. You may glean other clues from sector-specific guidelines published by the relevant regulatory body.
Higher-risk services may include:
- payroll services
- company formation services
- probate services
- high-value property and real estate services
- money-based services
- gambling services
- cryptocurrency services
- tax advice
When providing a higher-risk service, it is important to look out for any red flags associated with the customer's behaviour. For example, is there a consistent pattern in the type of services the customer requires, and are the types of services they look for consistent with their business rationale?
c. Where are the services located geographically?
Certain jurisdictions pose a higher ML/TF risk level than others. It may sound obvious, but it still needs to be said that a customer or a service will pose a higher risk if associated with a higher-risk country or jurisdiction.
Note that there only needs to be an association with the high-risk jurisdiction to trigger a greater need for scrutiny - it does not need to be a direct link. For example, if a customer subsidiary's base is in a high-risk jurisdiction, you may need to dig deeper. This is especially true if the funds move through an entity in a high-risk jurisdiction.
You should also know where a customer is in your jurisdiction. For example, suppose a customer is in a different city, county or province. In that case, you may query why the customer has come to you instead of a similar service provider closer to home.
d. What type of transactions will the service involve?
You should ask yourself whether any transactions or dealings with the client could be hidden or anonymised and whether your actions could assist with that activity. When looking at the risk of transactions, you should consider the whole picture.
A broad view refers to the business activity and rationale of the customer, so you can assess whether the relevant transactions make sense. Understanding the source of funds (and the source of wealth in more suspicious transactions) is fundamental to this process.
Other transactional risk factors are associated with:
- the speed with which you can complete transactions
- the volume and frequency of transactions relating to a particular product or service
Cash transactions are difficult to trace by nature, so look for invoices and official receipts to prove these transactions. Certain wire transfer services that are notoriously hard to track should also set off alarm bells.
When dealing with established cryptocurrencies and transactions involving non-fungible tokens (NFTs), you will generally be able to get a snapshot of the blockchain or at least a list of transactions that give you a clue to the source of funds.
Furthermore, it would be best if you examined any transactions involving payment to unrelated third parties in more detail.
e. How will the service be delivered?
There are two main considerations here that tie into the other risk factors. These considerations include whether the service will be:
- performed in person or remotely
- provided directly, or via an intermediary or other third party
Providing services directly for the end beneficiary and in person has been shown to lower the risk of ML/TF.
Risk mitigation is another thing to consider when planning service delivery. If a customer poses a higher risk or if something appears to be suspicious with some part of a service, it is always possible to onboard the customer by providing less risky services.
In doing so, you can build a relationship with the customer. You can use the ongoing relationship to vet the customer for higher-risk services.
2. Risk assessment
After identifying the possible ML/TF risks, it is necessary to assess those risks formally. It is important to understand that although a fundamental part of the RBA involves gathering quantitative and qualitative information, this is simply the start of the process. Without proper analysis of the information and a judgement call, the information has no function.
Assessing risk requires determining how the ML/TF risks identified are likely to pan out. This process involves looking at all the available information and judging the likelihood of these risks eventuating and the impact on the transaction, individual customer relationships, the business, the sector in which you work, and the economy.
The main purpose of conducting a risk assessment is to challenge the facts in front of you. To achieve this, you may need to cross-reference facts, double-check consistency and conduct additional research.
This does not mean that everyone working for an AML-regulated entity must become a detective. Rather, if red flags appear when conducting due diligence, they should be examined and acted on, not ignored.
ML/TF risks generally fall into the category of low, medium or high:Low risk - a markedly lower chance of ML/TF occurring
Medium risk - the standard
High risk - a markedly higher chance of an ML/TF event occurring
It is best practice to assess risk at all levels of an AML-regulated business. A full assessment means that you should perform risk assessment at the following levels:
- the transactional level (by the person dealing with the transaction)
- the customer/client level (by those who deal with the customer – it could be the same person who deals with the transaction)
- the business level (by the MLRO, senior management and Legal/Compliance, and it should feed into the company's internal AML/CTF policies and procedures)
Each of these assessments should be guided by and fed into each other. It is also best practice to consider risk assessments performed at the following levels:
- sectoral level (often, this comes in the form of guidelines issued by the industry regulator)
- national level (in the form of a National Risk Assessment and FAFT mutual evaluation reports)
- international level (often completed by FAFT and other regional AML/CTF bodies)
Business Risk Assessments
A company's Business Risk Assessment (BRA) is a living document that forms part of its AML/CTF Policies and Procedures. The BRA should be constantly reviewed and redrafted if necessary.
It helps to remove some of the hassle for individual employees as it already provides an assessment of ML/TF risks that may affect the business. It also looks at business activities relating to the wider economy, considering the most up-to-date domestic laws, rules and guidance.
Customer Risk Assessment
You should assess all customers of an AML-regulated business individually. It is also wise to examine the customer relationship in line with the company's BRA, internal AML/CTF policies, current affairs, national laws, and guidance. This process is referred to as a Customer Risk Assessment (CRA).
This assessment often uses the information gathered during the risk identification process, including information derived from Customer Due Diligence (CDD) at the onboarding stage. It is important to remember that CDD is just one tool that can be used to complete a CRA, and the CRA often helps to inform the level of CDD that needs completing.
Like all other parts of the RBA, CRA is an ongoing process. Still, the ideal time to start the process is just before establishing the relationship to ensure more control over risk mitigation. At that stage, neither party has fully committed themselves to the relationship.
Always bear in mind that the cost of losing a customer is always less than what may be associated with losing the whole business.
As you have probably noted, each level of assessment will affect every other level of assessment. Therefore, it is important to ensure that you document and communicate changes to risk resulting from an assessment to all relevant parties. Don't panic; for most of us, this means keeping proper records (for at least five years), reporting when appropriate and keeping in touch with the MLRO and/or Legal/Compliance.
Simply identifying and assessing risk on their own would have little practical effect on reducing ML/TF activities if you don't take action. All AML-regulated businesses are obliged to report suspicious activities or transactions to the relevant Financial Investigation Unit of the national authority.
Depending on the jurisdiction, reporting happens through a formal Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR). This obligation extends to a duty to report any suspected predicate offences.
An immediate duty
Fulfilling the duty to report should happen as soon as the suspicion arises, so long as the suspicion is reasonably well-grounded. AML/CTF reporting should never be used to harass or defame others. Where suspicion is well-grounded, don't look to investigate further before reporting. Report it immediately and monitor the situation.
Ongoing duty to report
Given the interconnectedness of AML/CTF processes, the duty to report does not cease because you rejected the suspicious transaction or at the point that the customer relationship terminates. The duty to report suspicious activity is ongoing, and it applies irrespective of whether there is a continuing relationship with the potential subject of the report.
It is also important to remember that the duty to report goes hand in hand with an obligation to avoid doing anything that may tip off the potential subject of a SAR/STR. Even inadvertent tipping-off can have serious repercussions.
Although it is important to maintain strong communication lines, it is also important to limit the extent of disclosure. Avoid discussing suspicions with colleagues or even managers. Save the conversation for the MLRO.
Note that this does not stop you from asking colleagues for advice on how to perform your role more effectively. For example, asking for advice on the company's AML/CTF policies and procedures or how to best gather information through the CDD process.
Your back up
Don't worry; you are not in this alone. Your company's MLRO and Legal/Compliance Unit should be your first point of call if you have any questions about identifying ML/TF practices. Their function is to keep informed about ML/TF practices and the best means to identify, assess and mitigate ML/TF risk.
If direct reporting puts the reporter in an uncomfortable or dangerous position, the reporter may use the whistleblower's hotline.
Want to learn more about Financial Crime?
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.