Despite new anti-money laundering rules appearing every year, the basic building blocks remain the same. We unpack everything you need to know about protecting your business from money laundering risk.
🎧Listen to the audio: |
According to the National Crime Agency (NCA), serious organised crime costs the UK tens of billions annually. So it is understandable that the government is keen to reduce it.
Money laundering regulations aim to make it harder for criminals to use the financial system to launder their ill-gotten gains. It also enables the authorities to recover any proceeds of crime and take the financial incentive out of crime.
These tips aim to help your firm tackle the challenge of keeping pace with ever-changing regulations and guard against money laundering.
Too many firms rely on external consultants to help put together an almost off-the-shelf AML policy and procedural framework that doesn't reflect a firm's day-to-day business activities.
Too often, there is misalignment within financial crime risk management frameworks. The risk assessment should drive the policy. Procedures need to reflect actual business as usual, and the subsequent controls should monitor that the entire process is aligned and working.
With data sets that require scrutiny becoming larger and larger, it is almost impossible to have an effective financial crime risk mitigation strategy without technology components.
Whether this is within client identification, client and transaction monitoring, or managing the outputs from all these processes in one clear view, the regulators expect a clear technology plan.
When using third-party PEP and a sanctions list, make sure you understand where the data come from and how they are maintained. When using analytics to monitor behaviour, trends, and transactions, ensure you explain the underlying rationale for the deployed algorithms.
Risk-based due diligence includes all customers, associates, consultants and third parties. The higher the risk, the higher the level of due diligence required.
Regulations are emerging that require firms to provide more detail about their actions in this regard and why they believe that they are appropriate.
Everyone in a firm should be able to explain how their firm and its products and services are most at risk from financial crime. In the same vein, everyone should be clear on how to respond to unusual activity to determine whether it gives rise to concern or possibly suspicion.
Regulations require regular internal control reviews and reassessments. These should be hardcoded into your financial crime compliance programme with a frequency that reflects the risks your business is exposed to.
This is due to the types of clients it deals with, the products and services it sells, and the jurisdictions it operates within.
The risk assessment and associated risk mitigants will drive the required resources decision. Without sufficient resources, a firm cannot revisit the risk assessment. A financial crime team needs adequately competent staff and an efficient toolkit to manage financial crime risk. Not having that is a big red flag to any regulator.
The EU has steadily tightened its anti-money laundering (AML) regulations through directives like 4MLD, 5AMLD, and 6AMLD. While 6AMLD may be the last numbered directive, the EU's latest AML package, unveiled in July 2021, represented the most significant overhaul of AML and counter-terrorist financing legislation to date.
These changes, based on the EC's 2020 Action Plan, aim to further strengthen the EU's fight against financial crime.
Despite stringent AML rules and regulations, money laundering poses a threat to all businesses. A risk-based approach to AML aims to mitigate this threat.
Governments have instituted Anti-money Laundering and Counter-terrorism Financing (AML/CTF) regimes to combat this cycle. The consequences for perpetrators include severe fines and imprisonment. A risk-based approach to AML/CTF is central to implementing rules effectively, and it involves a three-step process:
AML-regulated individuals and entities need to identify potential ML/TF risks to ensure effective targeting of resources. It is important to remain informed about the mechanisms commonly employed by ML/TF perpetrators and how these may affect your business and the sector in which you work.
It is also imperative that you document everything, including your thought processes. Identifying risk is not a one-off process – it is simply a snapshot of the situation. As information constantly changes, it should always be updated to remain relevant. As a starting point, break the process down into separate questions:
To verify customer identity and mitigate risk, an in-person meeting is ideal to inspect government-issued photo identification and proof of address. Identification is just the first step in knowing your customer. Identifying any Politically Exposed Persons (PEPs) is crucial, as dealings with PEPs, though not prohibited, can pose higher risks due to potential abuse of power.
Industries like payroll, company formation, probate, real estate, money services, gambling, cryptocurrency, and tax advice are inherently risky due to their potential for financial crime and fraud.
The National Risk Assessment includes many higher-risk services. When providing these services, it's crucial to be vigilant for red flags in customer behaviour, such as inconsistent service requests or actions that don't align with their stated business purpose.
Countries and jurisdictions vary in their risk of money laundering and terrorist financing. If a customer or service is associated with a high-risk country or jurisdiction, it poses a greater risk, even if the link is indirect. For example, through a subsidiary or financial transaction.
Consider whether transactions or dealings with a client could be concealed or anonymised. Evaluate the speed, volume, and frequency of transactions, as well as the payment methods used. Cash transactions are difficult to trace, and wire transfer services that are hard to track are red flags.
While cryptocurrencies and NFTs offer some transparency through blockchain records, it's important to be aware of their potential for illicit activity.
The mode of service delivery—in-person or remote—and the involvement of intermediaries can impact risk. To mitigate risk, consider offering lower-risk services to higher-risk customers or those exhibiting suspicious behaviour.
After identifying potential ML/TF risks, they must be formally assessed. This involves analysing gathered information to judge the likelihood and impact of risks on transactions, customer relationships, the business, your sector, and the wider economy.
- Low Risk: Unlikely ML/TF events
- Medium Risk: Standard risk level
- High Risk: Likely ML/TF events
- Transactional: Assessed by the person handling the transaction
- Customer: Reviewed in line with company policies
- Business: Conducted by the MLRO, senior management, and Compliance
- Sectoral/National/International: Guided by regulators, national risk assessments, and global standards (e.g., FATF reports).
The BRA is a dynamic document forming part of AML/CTF policies, regularly updated to reflect changes in laws and guidance. It helps streamline individual assessments by pre-identifying business risks.
CRAs evaluate individual customers using onboarding and due diligence data. This ongoing process ensures risks are managed before relationships are fully established. Prioritise mitigating risks over retaining customers—business survival is paramount.
Merely identifying risks isn’t enough to combat ML/TF activities—you must act. All AML-regulated businesses are legally required to report suspicious activities or transactions to the relevant national Financial Investigation Unit.
We've created a comprehensive AML roadmap to help you navigate the compliance landscape, supported by several financial crime prevention courses in our Essentials Library.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!