The pursuit of AML risk mitigation is ongoing. In light of the recent Dear CEO letter, we outline best practices when designing and implementing AML programmes.
In our recent webinar, we discussed insights and strategies for enhancing AML programmes considering the FCA's 'Dear CEO' letter. We were joined by our expert panellists, the CEO of ComplianceLnD, Paul Coady, and Skillcast senior advisor, Scott Morris, to unpack the implications of non-compliance
3. Due diligence, ongoing monitoring, policies & procedures
4. Governance, management, information & training
AML risk mitigation requires a proactive approach beyond mere checkbox compliance, as emphasised in the FCA's Dear CEO letter, which serves as a warning against AML failings.
The focus spans four key areas: understanding the business model, conducting thorough risk assessments, implementing robust due diligence procedures, and ensuring effective governance, management information, and training.
It's essential to move beyond generic solutions and instead tailor approaches to the specific needs and risks of each firm. The call-out from regulatory bodies like the FCA underscores the importance of holistic thinking in addressing AML challenges.
This responsibility must be embraced by senior management, originating from the top down. It’s crucial to consider any changes across all financial crime risk types and controls and not limit it solely to AML.
Having a robust business model is crucial in mitigating AML risks. A fundamental aspect of AML risk mitigation lies in having a well-defined business plan, with active involvement from management. The FCA priorities factual data, expecting firms to have comprehensive documentation in place.
Such a process not only demonstrates compliance but also a deeper understanding of the risks inherent in market entry and operational changes.
One significant danger to firms is when business strategies and business models are being changed without appropriately considering and being able to demonstrate consideration of the financial crime risks. Hence, establishing a process that places financial crime prevention at the forefront is imperative, especially for the 13% of businesses currently lacking such protocols.
The recent Dear CEO letter serves as a catalyst for all firms to establish or refine their AML processes. This involves:
This holistic approach is crucial for instilling confidence in the FCA regarding the organisation's control and leadership competency. Ultimately, having a well-defined business model that integrates AML risk mitigation ensures regulatory compliance and safeguards the reputation and integrity of an organisation in the financial landscape.
Risk assessment is a critical component of AML risk mitigation and compliance. In our webinar poll, we saw that nearly half of businesses have a Business Wide Risk Assessment (BWRA), but there's often a need for further attention in this area.
Through risk assessment, businesses can pinpoint where their focus should lie. Generic inputs or outputs pose a danger of not being reflective of the specific risks, issues and needs of the firm. A one-size-fits-all approach is inadequate; risk assessment must reflect the unique characteristics and challenges of each business.
Know Your Customer (KYC) procedures are integral to risk assessment, requiring businesses to understand their customers' origins, business activities, and operating jurisdictions. Client risk assessment is vital for financial institutions as it ensures informed decision-making, mitigates potential risks, and safeguards against financial crimes such as money laundering and fraud.
Customers cannot be grouped together; each must undergo individual risk assessment, with appropriate measures implemented for higher-risk clients.
Even smaller firms with limited budgets can address risk assessment by utilising vendor solutions, provided they ensure these solutions are tailored to their specific needs. Risks should be assessed separately, with controls designed to mitigate them. Businesses must determine whether to accept, mitigate, or avoid risks, ensuring the residual risk aligns with acceptable levels.
Non-compliance with risk assessment requirements carries consequences outlined in regulatory directives, such as the Dear CEO letter, which expects firms to heed warnings and implement necessary measures.
From our webinar poll, we discovered a significant majority, 85%, have established a formal framework and documented process for governance of policies and procedures.
Regular monitoring is essential to evaluate the impact of these policies and procedures in mitigating risks, determining their efficacy and identifying areas for improvement.
While senior management may not need to review every detail of policies and procedures, they should maintain oversight of key aspects to ensure alignment with organisational goals and regulatory requirements. Their involvement in strategic decision-making and oversight provides accountability and reinforces the importance of compliance throughout the organisation.
Overall, due diligence, ongoing monitoring, and robust policies and procedures serve as critical pillars in AML risk mitigation efforts, promoting adherence to regulations and safeguarding against financial crimes.
Governance, management, information, and training play pivotal roles in mitigating AML risks, as evidenced by the necessity for a comprehensive approach outlined in various key points.
A significant 42% conduct a Training Needs Analysis (TNA) annually, a practice that is essential for pinpointing risks and issues within the business and tailoring training programmes accordingly.
Integration between those overseeing the AML programme and the training programme is imperative, ensuring alignment and accountability in decision-making processes.
The FCA emphasises the role of senior management in fostering a culture of compliance, setting the right tone throughout the organisation. A cohesive training approach is advocated, encompassing a comprehensive programme, pre-assessment testing, micro-training modules, and individual adaptation.
This holistic training strategy is essential for demonstrating staff comprehension of financial crime matters—a critical aspect in satisfying regulatory expectations. In essence, effective governance, management, information dissemination, and training are vital components in fortifying AML risk mitigation efforts, fostering a culture of compliance and ensuring regulatory adherence.
Governments have instituted Anti-money Laundering and Counter-terrorism Financing (AML/CTF) regimes to combat this cycle. The consequences for perpetrators include severe fines and imprisonment. A risk-based approach (RBA) to AML/CTF is central to implementing rules effectively, and it involves a three-step process:
The RBA requires AML-regulated individuals and entities to identify, assess, and mitigate ML/TF risks to which they are exposed. This approach allows for the allocation of resources to higher-risk areas.
AML-regulated individuals and entities need to identify potential ML/TF risks to ensure effective targeting of resources.
It is important to remain informed about the mechanisms commonly employed by ML/TF perpetrators and how these may affect your business and the sector in which you work.
It is also imperative that you document everything, including your thought processes. Identifying risk is not a one-off process – it is simply a snapshot of the situation. As information constantly changes, it should always be updated to remain relevant.
Finally, identifying risk should never be a 'check-box' exercise. However, several starting points may make risk identification (and subsequent assessment and mitigation) of ML/TF practices easier.
For instance, breaking the process down into separate questions:
The first thing to assess is whether the customer is who they say they are.
Ideally, you would meet the customer in person, check their government-issued photographic ID and proof of address and ensure that this aligns with your understanding of the customer.
Identification is just the first step in knowing your customer. The next thing to establish is whether the customer is a politically exposed person (PEP). A PEP is someone who holds or acts in a prominent public position that they could abuse for personal gain or commit other serious crimes, such as bribery and corruption.
Be aware that dealings with PEPs are not necessarily banned but deemed to involve higher risk.
If the customer is a business entity:
Whether the customer is an individual or an entity, it is necessary to check if they are associated with people on a recognised sanctions list and/or the subject of negative publicity.
Establishing a customer's risk profile involves a comprehensive evaluation of various factors, including their financial background, transaction history, industry involvement, geographic location, and regulatory compliance. This process enables financial institutions to categorise customers based on their risk levels, ranging from low to high, and tailor their services and risk management strategies accordingly.
The FCA's Dear CEO letter emphasises the importance of this practice as it serves to uphold the integrity of the financial system and protect consumers. By prioritising the assessment of customer risk profiles, the FCA aims to enhance transparency, promote accountability, and prevent financial institutions from engaging in activities that could harm both the market and their clientele.
When assessing the risk associated with a service, it's important to ask, 'why has the customer decided to come to us?'. Is this a service your company normally provides, and are you sufficiently skilled?
Certain sectors pose higher risks, and it is important to be aware of whether your sector falls into this category. Generally speaking, the sector's levels of transparency and anonymity correlate with risk.
In the context of the service you're providing, consider the categories of risk assessment:
1. Product risk: This involves assessing the inherent risks associated with your company's products or services. For example, if your company offers complex financial products, the risk of mis-selling or regulatory non-compliance may be higher compared to offering straightforward services. Understanding the complexity, volatility, and potential impact of the products/services on clients is crucial for managing product risk effectively.
2. Channel risk: Channel risk relates to the delivery channels used by your company to provide its services. In an increasingly digital world, companies often rely on online platforms, mobile apps, or other technological solutions to deliver their services. However, these channels also pose risks, such as cybersecurity threats, data breaches, and disruptions in service delivery. Assessing and mitigating these risks is essential to ensure the reliability, security, and continuity of service delivery.
3. Jurisdiction risk: This type of risk refers to the legal and regulatory environment in which your company operates. Different jurisdictions have varying laws, regulations, and compliance requirements that companies must adhere to. Failure to comply with these regulations can result in legal penalties, fines, and reputational damage. Companies need to conduct thorough assessments of the regulatory landscape in their operating regions and stay updated on changes to mitigate jurisdiction risk effectively.
4. Operational risk: Operational risk encompasses the potential for loss due to internal processes, systems, or human error. This includes risks associated with technology failures, operational disruptions, inadequate internal controls, and staffing issues. Companies must implement robust operational procedures, conduct regular risk assessments, and invest in staff training to minimise operational risks and ensure the smooth functioning of their services.
5. Reputation risk: Reputation risk refers to the potential damage to your company's brand or reputation. Negative publicity, customer complaints, ethical lapses, or service failures can significantly impact trust and credibility, leading to loss of customers and revenue. Maintaining high standards of professionalism, transparency, and ethical conduct is essential for mitigating reputation risk and building long-term trust with clients.
By thoroughly assessing and addressing these categories of risk, companies can effectively manage the overall risk profile of their services, enhance service quality, and maintain the trust and confidence of their clients.
The National Risk Assessment includes many higher-risk services. You may glean other clues from sector-specific guidelines published by the relevant regulatory body.
Higher-risk services may include:
When providing a higher-risk service, it is important to look out for any red flags associated with the customer's behaviour. For example, is there a consistent pattern in the type of services the customer requires, and are the types of services they look for consistent with their business rationale?
Certain jurisdictions pose a higher ML/TF risk level than others. It may sound obvious, but it still needs to be said that a customer or a service will pose a higher risk if associated with a higher-risk country or jurisdiction.
Note that there only needs to be an association with the high-risk jurisdiction to trigger a greater need for scrutiny - it does not need to be a direct link. For example, if a customer subsidiary's base is in a high-risk jurisdiction, you may need to dig deeper. This is especially true if the funds move through an entity in a high-risk jurisdiction.
You should also know where a customer is in your jurisdiction. For example, suppose a customer is in a different city, county or province. In that case, you may query why the customer has come to you instead of a similar service provider closer to home.
You should ask yourself whether any transactions or dealings with the client could be hidden or anonymised and whether your actions could assist with that activity. When looking at the risk of transactions, you should consider the whole picture.
A broad view refers to the business activity and rationale of the customer, so you can assess whether the relevant transactions make sense. Understanding the source of funds (and the source of wealth in more suspicious transactions) is fundamental to this process.
Other transactional risk factors are associated with:
Cash transactions are difficult to trace by nature, so look for invoices and official receipts to prove these transactions. Certain wire transfer services that are notoriously hard to track should also set off alarm bells.
When dealing with established cryptocurrencies and transactions involving non-fungible tokens (NFTs), you will generally be able to get a snapshot of the blockchain or at least a list of transactions that give you a clue to the source of funds.
Furthermore, it would be best if you examined any transactions involving payment to unrelated third parties in more detail.
There are two main considerations here that tie into the other risk factors. These considerations include whether the service will be:
Risk mitigation is another thing to consider when planning service delivery. If a customer poses a higher risk or if something appears to be suspicious with some part of a service, it is always possible to onboard the customer by providing less risky services.
In doing so, you can build a relationship with the customer. You can use the ongoing relationship to vet the customer for higher-risk services.
After identifying the possible ML/TF risks, it is necessary to assess those risks formally. It is important to understand that although a fundamental part of the RBA involves gathering quantitative and qualitative information, this is simply the start of the process. Without proper analysis of the information and a judgement call, the information has no function.
Assessing risk requires determining how the ML/TF risks identified are likely to pan out. This process involves looking at all the available information and judging the likelihood of these risks eventuating and the impact on the transaction, individual customer relationships, the business, the sector in which you work, and the economy.
The main purpose of conducting a risk assessment is to challenge the facts in front of you. To achieve this, you may need to cross-reference facts, double-check consistency and conduct additional research.
This does not mean that everyone working for an AML-regulated entity must become a detective. Rather, if red flags appear when conducting due diligence, they should be examined and acted on, not ignored.
ML/TF risks generally fall into the category of low, medium or high:
Low risk - a markedly lower chance of ML/TF occurringIt is best practice to assess risk at all levels of an AML-regulated business. A full assessment means that you should perform risk assessment at the following levels:
Each of these assessments should be guided by and fed into each other. It is also best practice to consider risk assessments performed at the following levels:
A company's Business Risk Assessment (BRA) is a living document that forms part of its AML/CTF Policies and Procedures. The BRA should be constantly reviewed and redrafted if necessary.
It helps to remove some of the hassle for individual employees as it already provides an assessment of ML/TF risks that may affect the business. It also looks at business activities relating to the wider economy, considering the most up-to-date domestic laws, rules and guidance.
You should assess all customers of an AML-regulated business individually. It is also wise to examine the customer relationship in line with the company's BRA, internal AML/CTF policies, current affairs, national laws, and guidance. This process is referred to as a Customer Risk Assessment (CRA).
This assessment often uses the information gathered during the risk identification process, including information derived from Customer Due Diligence (CDD) at the onboarding stage. It is important to remember that CDD is just one tool that can be used to complete a CRA, and the CRA often helps to inform the level of CDD that needs completing.
Like all other parts of the RBA, CRA is an ongoing process. Still, the ideal time to start the process is just before establishing the relationship to ensure more control over risk mitigation. At that stage, neither party has fully committed themselves to the relationship.
Always bear in mind that the cost of losing a customer is always less than what may be associated with losing the whole business.
As you have probably noted, each level of assessment will affect every other level of assessment. Therefore, it is important to ensure that you document and communicate changes to risk resulting from an assessment to all relevant parties. Don't panic; for most of us, this means keeping proper records (for at least five years), reporting when appropriate and keeping in touch with the MLRO and/or Legal/Compliance.
Simply identifying and assessing risk on their own would have little practical effect on reducing ML/TF activities if you don't take action. All AML-regulated businesses are obliged to report suspicious activities or transactions to the relevant Financial Investigation Unit of the national authority.
Depending on the jurisdiction, reporting happens through a formal Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR). This obligation extends to a duty to report any suspected predicate offences.
Fulfilling the duty to report should happen as soon as the suspicion arises, so long as the suspicion is reasonably well-grounded. AML/CTF reporting should never be used to harass or defame others. Where suspicion is well-grounded, don't look to investigate further before reporting. Report it immediately and monitor the situation.
Given the interconnectedness of AML/CTF processes, the duty to report does not cease because you rejected the suspicious transaction or at the point that the customer relationship terminates. The duty to report suspicious activity is ongoing, and it applies irrespective of whether there is a continuing relationship with the potential subject of the report.
It is also important to remember that the duty to report goes hand in hand with an obligation to avoid doing anything that may tip off the potential subject of a SAR/STR. Even inadvertent tipping-off can have serious repercussions.
Although it is important to maintain strong communication lines, it is also important to limit the extent of disclosure. Avoid discussing suspicions with colleagues or even managers. Save the conversation for the MLRO.
Note that this does not stop you from asking colleagues for advice on how to perform your role more effectively. For example, asking for advice on the company's AML/CTF policies and procedures or how to best gather information through the CDD process.
Don't worry; you are not in this alone. Your company's MLRO and Legal/Compliance Unit should be your first point of call if you have any questions about identifying ML/TF practices. Their function is to keep informed about ML/TF practices and the best means to identify, assess and mitigate ML/TF risk.
If direct reporting puts the reporter in an uncomfortable or dangerous position, the reporter may use the whistleblower's hotline.
We've created a comprehensive AML roadmap to help you navigate the compliance landscape, supported by several financial crime prevention courses in our Essentials Library.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.