The pursuit of AML risk mitigation is ongoing. In light of the recent Dear CEO letter, we outline best practices when designing and implementing AML programmes.
In our recent webinar, we discussed insights and strategies for enhancing AML programmes considering the FCA's 'Dear CEO' letter. We were joined by our expert panellists, the CEO of ComplianceLnD, Paul Coady, and Skillcast senior advisor, Scott Morris, to unpack the implications of non-compliance
Understanding AML risk mitigation & compliance
3. Due diligence, ongoing monitoring, policies & procedures
4. Governance, management, information & training
AML risk mitigation requires a proactive approach beyond mere checkbox compliance, as emphasised in the FCA's Dear CEO letter, which serves as a warning against AML failings.
The focus spans four key areas: understanding the business model, conducting thorough risk assessments, implementing robust due diligence procedures, and ensuring effective governance, management information, and training.
It's essential to move beyond generic solutions and instead tailor approaches to the specific needs and risks of each firm. The call-out from regulatory bodies like the FCA underscores the importance of holistic thinking in addressing AML challenges.
This responsibility must be embraced by senior management, originating from the top down. It’s crucial to consider any changes across all financial crime risk types and controls and not limit it solely to AML.
1. Business model
Having a robust business model is crucial in mitigating AML risks. A fundamental aspect of AML risk mitigation lies in having a well-defined business plan, with active involvement from management. The FCA priorities factual data, expecting firms to have comprehensive documentation in place.
When our webinar audience was asked what best describes their process for business model change, 42% said that they address changes on a case-by-case basis. Insights from our panellists reveal that this is similar to operating without a structured governance process. It also underscores the necessity for a standardised procedure for notifying the FCA, which 40% have implemented.
Such a process not only demonstrates compliance but also a deeper understanding of the risks inherent in market entry and operational changes.
One significant danger to firms is when business strategies and business models are being changed without appropriately considering and being able to demonstrate consideration of the financial crime risks. Hence, establishing a process that places financial crime prevention at the forefront is imperative, especially for the 13% of businesses currently lacking such protocols.
What can you do about a business model?
The recent Dear CEO letter serves as a catalyst for all firms to establish or refine their AML processes. This involves:
- board-level engagement to have protocols that put financial crime front and centre and prioritises risk management.
- having a process of assessment to notify the FCA and ensure the alignment of policies and procedures with the implications of new business endeavours.
- conducting regular assessments to reflect on processes and procedures, which helps to identify gaps and enable prompt action, thereby proactively managing risks for the firm.
Furthermore, AML compliance goes beyond financial systems; it necessitates holistic engagement across various departments such as HR, IT, and Finance. The FCA emphasises the importance of integrating systems and controls, ensuring that the organisation is not only mitigating financial risks but also adhering to employment laws and IT protocols.
This holistic approach is crucial for instilling confidence in the FCA regarding the organisation's control and leadership competency. Ultimately, having a well-defined business model that integrates AML risk mitigation ensures regulatory compliance and safeguards the reputation and integrity of an organisation in the financial landscape.
2. Risk assessment
Risk assessment is a critical component of AML risk mitigation and compliance. In our webinar poll, we saw that nearly half of businesses have a Business Wide Risk Assessment (BWRA), but there's often a need for further attention in this area.
A BWRA serves as a cornerstone, being the first aspect scrutinised by the FCA. It's not just about having one; it must be tailored to the specific risks associated with your business model, informing policies, procedures, and operational decisions.
Through risk assessment, businesses can pinpoint where their focus should lie. Generic inputs or outputs pose a danger of not being reflective of the specific risks, issues and needs of the firm. A one-size-fits-all approach is inadequate; risk assessment must reflect the unique characteristics and challenges of each business.
Know Your Customer (KYC) procedures are integral to risk assessment, requiring businesses to understand their customers' origins, business activities, and operating jurisdictions. Client risk assessment is vital for financial institutions as it ensures informed decision-making, mitigates potential risks, and safeguards against financial crimes such as money laundering and fraud.
Customers cannot be grouped together; each must undergo individual risk assessment, with appropriate measures implemented for higher-risk clients.
Even smaller firms with limited budgets can address risk assessment by utilising vendor solutions, provided they ensure these solutions are tailored to their specific needs. Risks should be assessed separately, with controls designed to mitigate them. Businesses must determine whether to accept, mitigate, or avoid risks, ensuring the residual risk aligns with acceptable levels.
What can you do about risk assessments?
Non-compliance with risk assessment requirements carries consequences outlined in regulatory directives, such as the Dear CEO letter, which expects firms to heed warnings and implement necessary measures.
- Ensure data is reliable and timely - this is crucial for effective risk assessment, emphasising the importance of data integration.
- Be consistent in risk assessments to enable businesses to identify gaps and make informed decisions regarding control implementation, ultimately facilitating better management of remediation efforts.
- Implement a comprehensive BWRA integrated throughout the firm, ensuring high quality and detailed identification of Anti-Financial Crime (AFC) risks and their mitigation strategies, linking to broader AML programmes.
- Define a robust methodology for risk assessment, with clear roles and responsibilities, particularly at the senior management level.
- Develop BWRA and methodology if not already in place, and retroactively apply to show progress.
- Customise Client Risk Assessment (CRA) policies for individual clients based on specific risk factors, with clear steps for Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD).
- Utilise technology and data analytics to enhance risk assessments, identifying emerging risks and trends.
- Define risk appetite, identify inherent risks, implement mitigation measures, and assess residual risk.
3. Due diligence, ongoing monitoring, policies & procedures
From our webinar poll, we discovered a significant majority, 85%, have established a formal framework and documented process for governance of policies and procedures.
Policies and procedures provide real value by translating complex rules and regulations into understandable guidelines for personnel, facilitating compliance efforts. However, their effectiveness hinges on strong governance and a clear methodology for approval, ensuring they are aligned with the organisation's objectives and adequately address AML risks.
Regular monitoring is essential to evaluate the impact of these policies and procedures in mitigating risks, determining their efficacy and identifying areas for improvement.
While senior management may not need to review every detail of policies and procedures, they should maintain oversight of key aspects to ensure alignment with organisational goals and regulatory requirements. Their involvement in strategic decision-making and oversight provides accountability and reinforces the importance of compliance throughout the organisation.
What can you do about due diligence, ongoing monitoring, policies & procedures?
- Have a clear methodology, starting from the top, for developing, implementing, and maintaining policies and procedures. This includes governance, accountability, roles, responsibilities, and the design, development, and implementation processes.
- Reflect actual business practices in policies and procedures; don't just repeat regulatory requirements.
- Provide evidence of adherence to policies and procedures and effective risk management - the FCA expects this.
- Integrate policies and procedures with other components of the AML programme, such as risk assessment, monitoring, testing, and training.
- Actively involve senior management, including AFC and MLRO, in daily business activities, overseeing key issues, mitigations, and decisions, such as high-risk account reviews. While they oversee the policy framework, they don't need to review and approve every document, potentially using a tiered approval process.
- Consider the firm's size and nature when implementing policies, controls, and procedures, ensuring they remain appropriate for the business's scale.
Overall, due diligence, ongoing monitoring, and robust policies and procedures serve as critical pillars in AML risk mitigation efforts, promoting adherence to regulations and safeguarding against financial crimes.
4. Governance, management, information & training
Governance, management, information, and training play pivotal roles in mitigating AML risks, as evidenced by the necessity for a comprehensive approach outlined in various key points.
A significant 42% conduct a Training Needs Analysis (TNA) annually, a practice that is essential for pinpointing risks and issues within the business and tailoring training programmes accordingly.
Specific support is crucial to enable individuals to fulfill their roles effectively, underscoring the importance of allocating adequate resources to financial crime prevention efforts—an aspect of concern for regulatory bodies like the FCA.
Integration between those overseeing the AML programme and the training programme is imperative, ensuring alignment and accountability in decision-making processes.
The FCA emphasises the role of senior management in fostering a culture of compliance, setting the right tone throughout the organisation. A cohesive training approach is advocated, encompassing a comprehensive programme, pre-assessment testing, micro-training modules, and individual adaptation.
This holistic training strategy is essential for demonstrating staff comprehension of financial crime matters—a critical aspect in satisfying regulatory expectations. In essence, effective governance, management, information dissemination, and training are vital components in fortifying AML risk mitigation efforts, fostering a culture of compliance and ensuring regulatory adherence.
What can you do about governance, management, information & training?
- Have strong governance - this is crucial for AFC programme success, requiring a robust mechanism and structure for decision-making, accompanied by a clear audit trail to document relevant information, assessments, and actions taken in response to financial crime risks, ensuring transparency and accountability.
- Establish a comprehensive regulatory training strategy to address AML risks effectively.
- Conduct regular Training Needs Analyses (TNAs) to evaluate the scope, frequency, and quality of training sessions, gathering feedback from employees to identify areas for improvement.
- Integrate training, communications, and awareness programmes to reinforce compliance culture throughout the organization.
- Foster a compliance culture through development, measurement, and fostering of organizational norms, shaping "the way we do things around here."
- Enhance engagement with regular updates and new training materials.
- Test training outcomes to gauge effectiveness and address any deficiencies.
- Develop role-specific training to highlight key AFC risks relevant to specific roles or groups within the organisation.
- Address crucial topics such as sanctions and Suspicious Activity Report (SAR) training.
- Approach regulatory training as a continuous cycle, ensuring ongoing education and adaptation to evolving risks and regulatory requirements.
The 3-step risk-based approach to AML
Governments have instituted Anti-money Laundering and Counter-terrorism Financing (AML/CTF) regimes to combat this cycle. The consequences for perpetrators include severe fines and imprisonment. A risk-based approach (RBA) to AML/CTF is central to implementing rules effectively, and it involves a three-step process:
The RBA requires AML-regulated individuals and entities to identify, assess, and mitigate ML/TF risks to which they are exposed. This approach allows for the allocation of resources to higher-risk areas.
1. Risk identification
AML-regulated individuals and entities need to identify potential ML/TF risks to ensure effective targeting of resources.
It is important to remain informed about the mechanisms commonly employed by ML/TF perpetrators and how these may affect your business and the sector in which you work.
It is also imperative that you document everything, including your thought processes. Identifying risk is not a one-off process – it is simply a snapshot of the situation. As information constantly changes, it should always be updated to remain relevant.
Finally, identifying risk should never be a 'check-box' exercise. However, several starting points may make risk identification (and subsequent assessment and mitigation) of ML/TF practices easier.
For instance, breaking the process down into separate questions:
a. Does the customer pose a higher level of risk?
The first thing to assess is whether the customer is who they say they are.
Ideally, you would meet the customer in person, check their government-issued photographic ID and proof of address and ensure that this aligns with your understanding of the customer.
Identification is just the first step in knowing your customer. The next thing to establish is whether the customer is a politically exposed person (PEP). A PEP is someone who holds or acts in a prominent public position that they could abuse for personal gain or commit other serious crimes, such as bribery and corruption.
Be aware that dealings with PEPs are not necessarily banned but deemed to involve higher risk.
If the customer is a business entity:
- it's important to understand who ultimately controls or benefits from their activities
- it may be necessary to cross-reference any information on file with records kept at Company's House and other beneficial ownership registers
Whether the customer is an individual or an entity, it is necessary to check if they are associated with people on a recognised sanctions list and/or the subject of negative publicity.
Establishing a customer's risk profile involves a comprehensive evaluation of various factors, including their financial background, transaction history, industry involvement, geographic location, and regulatory compliance. This process enables financial institutions to categorise customers based on their risk levels, ranging from low to high, and tailor their services and risk management strategies accordingly.
The FCA's Dear CEO letter emphasises the importance of this practice as it serves to uphold the integrity of the financial system and protect consumers. By prioritising the assessment of customer risk profiles, the FCA aims to enhance transparency, promote accountability, and prevent financial institutions from engaging in activities that could harm both the market and their clientele.
b. How risky is the service you are providing?
When assessing the risk associated with a service, it's important to ask, 'why has the customer decided to come to us?'. Is this a service your company normally provides, and are you sufficiently skilled?
Certain sectors pose higher risks, and it is important to be aware of whether your sector falls into this category. Generally speaking, the sector's levels of transparency and anonymity correlate with risk.
In the context of the service you're providing, consider the categories of risk assessment:
1. Product risk: This involves assessing the inherent risks associated with your company's products or services. For example, if your company offers complex financial products, the risk of mis-selling or regulatory non-compliance may be higher compared to offering straightforward services. Understanding the complexity, volatility, and potential impact of the products/services on clients is crucial for managing product risk effectively.
2. Channel risk: Channel risk relates to the delivery channels used by your company to provide its services. In an increasingly digital world, companies often rely on online platforms, mobile apps, or other technological solutions to deliver their services. However, these channels also pose risks, such as cybersecurity threats, data breaches, and disruptions in service delivery. Assessing and mitigating these risks is essential to ensure the reliability, security, and continuity of service delivery.
3. Jurisdiction risk: This type of risk refers to the legal and regulatory environment in which your company operates. Different jurisdictions have varying laws, regulations, and compliance requirements that companies must adhere to. Failure to comply with these regulations can result in legal penalties, fines, and reputational damage. Companies need to conduct thorough assessments of the regulatory landscape in their operating regions and stay updated on changes to mitigate jurisdiction risk effectively.
4. Operational risk: Operational risk encompasses the potential for loss due to internal processes, systems, or human error. This includes risks associated with technology failures, operational disruptions, inadequate internal controls, and staffing issues. Companies must implement robust operational procedures, conduct regular risk assessments, and invest in staff training to minimise operational risks and ensure the smooth functioning of their services.
5. Reputation risk: Reputation risk refers to the potential damage to your company's brand or reputation. Negative publicity, customer complaints, ethical lapses, or service failures can significantly impact trust and credibility, leading to loss of customers and revenue. Maintaining high standards of professionalism, transparency, and ethical conduct is essential for mitigating reputation risk and building long-term trust with clients.
By thoroughly assessing and addressing these categories of risk, companies can effectively manage the overall risk profile of their services, enhance service quality, and maintain the trust and confidence of their clients.
The National Risk Assessment includes many higher-risk services. You may glean other clues from sector-specific guidelines published by the relevant regulatory body.
Higher-risk services may include:
- payroll services
- company formation services
- probate services
- high-value property and real estate services
- money-based services
- gambling services
- cryptocurrency services
- tax advice
When providing a higher-risk service, it is important to look out for any red flags associated with the customer's behaviour. For example, is there a consistent pattern in the type of services the customer requires, and are the types of services they look for consistent with their business rationale?
c. Where are the services located geographically?
Certain jurisdictions pose a higher ML/TF risk level than others. It may sound obvious, but it still needs to be said that a customer or a service will pose a higher risk if associated with a higher-risk country or jurisdiction.
Note that there only needs to be an association with the high-risk jurisdiction to trigger a greater need for scrutiny - it does not need to be a direct link. For example, if a customer subsidiary's base is in a high-risk jurisdiction, you may need to dig deeper. This is especially true if the funds move through an entity in a high-risk jurisdiction.
You should also know where a customer is in your jurisdiction. For example, suppose a customer is in a different city, county or province. In that case, you may query why the customer has come to you instead of a similar service provider closer to home.
d. What type of transactions will the service involve?
You should ask yourself whether any transactions or dealings with the client could be hidden or anonymised and whether your actions could assist with that activity. When looking at the risk of transactions, you should consider the whole picture.
A broad view refers to the business activity and rationale of the customer, so you can assess whether the relevant transactions make sense. Understanding the source of funds (and the source of wealth in more suspicious transactions) is fundamental to this process.
Other transactional risk factors are associated with:
- the speed with which you can complete transactions
- the volume and frequency of transactions relating to a particular product or service
Cash transactions are difficult to trace by nature, so look for invoices and official receipts to prove these transactions. Certain wire transfer services that are notoriously hard to track should also set off alarm bells.
When dealing with established cryptocurrencies and transactions involving non-fungible tokens (NFTs), you will generally be able to get a snapshot of the blockchain or at least a list of transactions that give you a clue to the source of funds.
Furthermore, it would be best if you examined any transactions involving payment to unrelated third parties in more detail.
e. How will the service be delivered?
There are two main considerations here that tie into the other risk factors. These considerations include whether the service will be:
- performed in person or remotely
- provided directly, or via an intermediary or other third party
Providing services directly for the end beneficiary and in person has been shown to lower the risk of ML/TF.
Risk mitigation is another thing to consider when planning service delivery. If a customer poses a higher risk or if something appears to be suspicious with some part of a service, it is always possible to onboard the customer by providing less risky services.
In doing so, you can build a relationship with the customer. You can use the ongoing relationship to vet the customer for higher-risk services.
2. Risk assessment
After identifying the possible ML/TF risks, it is necessary to assess those risks formally. It is important to understand that although a fundamental part of the RBA involves gathering quantitative and qualitative information, this is simply the start of the process. Without proper analysis of the information and a judgement call, the information has no function.
Assessing risk requires determining how the ML/TF risks identified are likely to pan out. This process involves looking at all the available information and judging the likelihood of these risks eventuating and the impact on the transaction, individual customer relationships, the business, the sector in which you work, and the economy.
The main purpose of conducting a risk assessment is to challenge the facts in front of you. To achieve this, you may need to cross-reference facts, double-check consistency and conduct additional research.
This does not mean that everyone working for an AML-regulated entity must become a detective. Rather, if red flags appear when conducting due diligence, they should be examined and acted on, not ignored.
ML/TF risks generally fall into the category of low, medium or high:
Low risk - a markedly lower chance of ML/TF occurringMedium risk - the standard
High risk - a markedly higher chance of an ML/TF event occurring
It is best practice to assess risk at all levels of an AML-regulated business. A full assessment means that you should perform risk assessment at the following levels:
- the transactional level (by the person dealing with the transaction)
- the customer/client level (by those who deal with the customer – it could be the same person who deals with the transaction)
- the business level (by the MLRO, senior management and Legal/Compliance, and it should feed into the company's internal AML/CTF policies and procedures)
Each of these assessments should be guided by and fed into each other. It is also best practice to consider risk assessments performed at the following levels:
- sectoral level (often, this comes in the form of guidelines issued by the industry regulator)
- national level (in the form of a National Risk Assessment and FAFT mutual evaluation reports)
- international level (often completed by FAFT and other regional AML/CTF bodies)
Business Risk Assessments
A company's Business Risk Assessment (BRA) is a living document that forms part of its AML/CTF Policies and Procedures. The BRA should be constantly reviewed and redrafted if necessary.
It helps to remove some of the hassle for individual employees as it already provides an assessment of ML/TF risks that may affect the business. It also looks at business activities relating to the wider economy, considering the most up-to-date domestic laws, rules and guidance.
Customer Risk Assessment
You should assess all customers of an AML-regulated business individually. It is also wise to examine the customer relationship in line with the company's BRA, internal AML/CTF policies, current affairs, national laws, and guidance. This process is referred to as a Customer Risk Assessment (CRA).
This assessment often uses the information gathered during the risk identification process, including information derived from Customer Due Diligence (CDD) at the onboarding stage. It is important to remember that CDD is just one tool that can be used to complete a CRA, and the CRA often helps to inform the level of CDD that needs completing.
Like all other parts of the RBA, CRA is an ongoing process. Still, the ideal time to start the process is just before establishing the relationship to ensure more control over risk mitigation. At that stage, neither party has fully committed themselves to the relationship.
Always bear in mind that the cost of losing a customer is always less than what may be associated with losing the whole business.
Interactive assessment
As you have probably noted, each level of assessment will affect every other level of assessment. Therefore, it is important to ensure that you document and communicate changes to risk resulting from an assessment to all relevant parties. Don't panic; for most of us, this means keeping proper records (for at least five years), reporting when appropriate and keeping in touch with the MLRO and/or Legal/Compliance.
3. Risk mitigation & management
Simply identifying and assessing risk on their own would have little practical effect on reducing ML/TF activities if you don't take action. All AML-regulated businesses are obliged to report suspicious activities or transactions to the relevant Financial Investigation Unit of the national authority.
Depending on the jurisdiction, reporting happens through a formal Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR). This obligation extends to a duty to report any suspected predicate offences.
An immediate duty
Fulfilling the duty to report should happen as soon as the suspicion arises, so long as the suspicion is reasonably well-grounded. AML/CTF reporting should never be used to harass or defame others. Where suspicion is well-grounded, don't look to investigate further before reporting. Report it immediately and monitor the situation.
Ongoing duty to report
Given the interconnectedness of AML/CTF processes, the duty to report does not cease because you rejected the suspicious transaction or at the point that the customer relationship terminates. The duty to report suspicious activity is ongoing, and it applies irrespective of whether there is a continuing relationship with the potential subject of the report.
Avoid tipping-off
It is also important to remember that the duty to report goes hand in hand with an obligation to avoid doing anything that may tip off the potential subject of a SAR/STR. Even inadvertent tipping-off can have serious repercussions.
Although it is important to maintain strong communication lines, it is also important to limit the extent of disclosure. Avoid discussing suspicions with colleagues or even managers. Save the conversation for the MLRO.
Note that this does not stop you from asking colleagues for advice on how to perform your role more effectively. For example, asking for advice on the company's AML/CTF policies and procedures or how to best gather information through the CDD process.
Your back up
Don't worry; you are not in this alone. Your company's MLRO and Legal/Compliance Unit should be your first point of call if you have any questions about identifying ML/TF practices. Their function is to keep informed about ML/TF practices and the best means to identify, assess and mitigate ML/TF risk.
Anonymous reporting
If direct reporting puts the reporter in an uncomfortable or dangerous position, the reporter may use the whistleblower's hotline.
Want to learn more about Financial Crime?
We've created a comprehensive AML roadmap to help you navigate the compliance landscape, supported by several financial crime prevention courses in our Essentials Library.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.