How-to guide: How to conduct an organisation-wide assessment of money laundering and terrorist financing risk (UK)

Introduction

This guide will assist in-house counsel and risk and compliance teams with the steps that their organisation should take to conduct or refresh an assessment of money laundering and terrorist financing (ML/TF) risk in terms of the UK money laundering regulations.

It covers the following:

Overview
Nature of an ML/TF risk assessment
The five areas of ML/TF risk
Practical guidance for assessing ML/TF risk

This guide can be read in conjunction with Checklist: Staff awareness and training to prevent money laundering and terrorist financing.

Section 1 – Overview

The guide is applicable to those organisations that are subject to the Money Laundering and Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended (MLR).

All businesses regulated in terms of the MLR must assess the risk of being used by customers for ML/TF. An organisation-wide risk assessment is a key way to measure and assess risk.

Assessing ML/TF risk within a business can be a complex process that requires a detailed understanding of how the risk presents in the individual circumstances of the business’s sector and customer risk profile.

Section 2 – Nature of an ML/TF risk assessment

A risk assessment is the exercise of identifying the business’s key risks and testing the controls in place to mitigate those risks. It has variously been described as the ‘core’ or the ‘backbone’ of any business’s anti-money laundering (AML) compliance, and is an essential tool for informing and developing effective AML policies and procedures. The risk assessment seeks to measure the business’s exposure to the risks it faces in order to plan actions to reduce those risks. It is generally conducted annually.

2.1 Who needs to conduct a risk assessment?

Regulation 18(1) of the MLR requires all regulated businesses to undertake and maintain a written risk assessment.

2.2 How to conduct an ML/TF risk assessment

There are many ways in which a business might approach the risk assessment process and there is no ‘one size fits all’ approach. Any good organisation-wide risk assessment will include a detailed explanation of the business, including a deeper examination of any known higher-risk areas of work, and an evaluation of the controls which impact on the risks inherent in the work undertaken. In particular, the risk assessment must consider the ML/TF risks to which the business is exposed by the following factors:

customer types;
geographical sphere of operations (ie, where it and its customers are based);
products and services sold or offered;
transactions (including volume and complexity); and
delivery channels and payment processes.

These five key areas of ML/TF risk should be front and centre of the risk assessment. More information about how to assess the risks in each of these areas can be found in Section 3.

A potential step-by-step method for conducting a risk assessment is suggested below. Note that sector-specific regulators have declined to provide a prescriptive template for the process, preferring to afford businesses some discretion as to the best way to follow the general principles.

Table 1: Example step-by-step method for conducting an organisation-wide risk assessment

No.	Step	Explanation
1	Establish approach	Agree a basic methodology for the risk assessment, so that it is practical, manageable and comprehensive enough to cover the whole business Document the approach Obtain approval (preferably from the money laundering compliance officer (MLCO) and the money laundering reporting officer (MLRO)) Communicate requirements and expectations clearly
2	Assess the inherent risk	Sit at the desks of your business lines and functions to understand their day-to-day activities in order to determine the risks that attach to the business. Gather statistics and management information about the five key areas of risk identified by the MLR as being relevant to the risk assessment process: client type; geographical sphere of operations; transactions; products and services; and delivery channels. The inherent risk may be scored using the following scale:
3	Evaluate the controls	Assess whether the business’s existing controls adequately address the risks. Determine whether the controls are working as designed, and whether the design is right to reduce the risk of ML/TF to an acceptable level. The effectiveness of the controls may be calculated on the basis of the following assessment:
4	Determine the residual risk	Consider the extent to which the business’s controls deal with the inherent risk. Residual risk is the overall risk rating provided to a particular risk area once the inherent risk and control effectiveness has been aggregated. Each risk category should be given a residual risk. The following matrix will apply: Once the residual risk has been calculated for each risk area (out of a maximum of 25), the total residual risk score should be calculated by applying appropriate weighting (for example, by multiplying each category score by 20% to give an equal weighted score out of 5). Weightings for categories can be amended as deemed appropriate by your MLRO and senior management. Once weighted scores have been calculated for each risk area they will be added up to give a total out of 25. This score will then translate into an overall risk rating for the business, as follows:
Does the residual risk warrant new or additional controls? If yes, complete steps 5 to 7
5	Action planning	Prepare action plans and recommendations to mitigate the residual risks. Develop remediation timeframes and division of responsibilities.
6	Approval and sign-off	The risk assessment, recommendations and remediation/action plan should be approved by the MLCO and the MLRO. Where these are the same person, another senior individual with sufficient skill and experience should review the findings with a view to applying appropriate challenge if necessary. Agree ownership of ML/TF risk.
7	Review and audit	Determine the timeframe for a repeat of the process and ensure that responsibilities for the independent audit function required under regulation 21 of the MLR 2017 are allocated in line with regulatory requirements, as well as setting timeframes for delivery.

Section 3 – The five areas of ML/TF risk

There is plenty of written guidance available to help with identifying the risks associated with the five areas of ML/TF risk referred to in Section 2. Regulators provide sector-specific guidance which should be consulted in detail, together with the sector-wide risk assessment. The UK National Risk Assessment, the Joint Money Laundering Steering Group Guidance and Appendices and the Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption also provide some useful advice.

Considerations for each area of risk are outlined below.

3.1 Customer risk

Assess what the risk is of the business’s customers (including beneficial owners where the customer is a company) being involved in money laundering. Are there any characteristics of your customer relationships which present a known higher risk of money laundering? You should consider the following:

type of client and business activity (industry/sector risk; whether you work with politically exposed persons (PEPs) or high-net-worth individuals; regulated status; length of relationship);
reputation (adverse news; suspicious activity reports (SARs)); and
nature and behaviour (any issue in obtaining customer due diligence (CDD); transparency of ownership; bearer shares or nominee shareholders; or requests for secrecy).

3.2 Location/geographic risk

Ask what the risk is of customers linked to any identified high-risk jurisdictions being involved in money laundering. The current list of high-risk jurisdictions is set out in Schedule 3ZA of the MLR, as amended. You can also use the Financial Action Task Force list to find out which jurisdictions have been assessed as having ineffective AML regimes. HM Treasury has also published the following guidance Money Laundering Advisory Notice: High Risk Third Countries. You should consider:

the jurisdictions in which the business or its branches are based;
the jurisdictions in which customers or beneficial owners are based; and
the jurisdictions of your main place of business.

3.3 Products and services risk

Ask what the risk is of your products or services provided being used for money laundering. Are they known to be used for money laundering? You should consider:

the level of transparency or otherwise, and the extent to which these products facilitate anonymity or opacity (anonymity is considered a risk because it prevents you from gaining a proper understanding of your customer’s identity, which is a requirement under the MLR). Examples of products that facilitate these features include pooled accounts, bearer shares and offshore trusts; and
the level of complexity, including the extent to which a third party that is not part of the business relationship may give instructions, the extent to which third-party payments are allowed and any risks associated with new or innovative products.

3.4 Transaction risk

Ask what the typical value of transactions is. What are their features? You should consider:

whether they are high value in the context of their class of transactions, or cash intensive; or
conversely, whether there are any caps on transaction values that may limit ML/TF risk.

3.5 Delivery channel risk

Ask about the risk of the delivery channel being used for money laundering. Is it difficult to determine the identity of the customer? You should consider:

the extent to which the business relationship is conducted on a non-face-to-face basis, whether the customer is physically present for identification and if not, whether a reliable form of non-face-to-face CDD is used; and
any introducers or intermediaries that the business might use and the nature of their relationship to the business. Where introduced by a third party, consider how the party is linked to the business – is it part of the same group or unrelated? If unrelated, consider what checks have been undertaken on CDD measures applied by the third party and whether reliance is placed on them.

Section 4 – Practical guidance for assessing money laundering and terrorist financing risk

4.1 Who should undertake the risk assessment?

This will depend on the size and the nature of your business. Businesses with dedicated financial crime compliance resources may be able to commission one or more senior experts from those teams to undertake their risk assessment in-house.

For smaller businesses, the MLRO may seem like the first choice. Certainly, they will be an excellent repository of knowledge relating to money laundering risks and trends; and no risk assessment will be complete without a thorough review of the previous year’s internal suspicions reporting and MLRO report. In some cases, the MLRO will be the most experienced and appropriate assessor; but it is worth considering whether the MLRO has the bandwidth to undertake the process, which can be lengthy for sizeable or more complex businesses. Some businesses have devoted full-time resources over several months to the process of establishing the risks and assessing controls, so it is important to consider whether the MLRO will be able to do their day job if they are too heavily involved in this process.

For businesses of a certain size that are undertaking complex or substantial regulated business, it will often be appropriate to ask an external provider to undertake this process. Any external risk assessor will need to develop a detailed understanding of the business. It will not be enough simply to record that the business provides, for example, private wealth management services. The risk assessor will need access to the relevant team at customer relationship manager and senior manager level to understand the day-to-day business being undertaken within the team and the extent to which that team is alive to, and managing, ML/TF risk, often in conjunction with other functions with specific responsibilities for managing ML/TF risk.

It is essential that generic statements are avoided, and that the risk assessment is underpinned by a detailed understanding and exposition of the business’s individual client base; its areas of operation; its products and services; the transactions that it undertakes; and the way in which it delivers its products and services. This requires resources and expertise on the part of the assessor. If an external provider is instructed, ask to see anonymised examples or extracts of previous risk assessments, and ensure that those conducting the risk assessment have a developed understanding of regulated business in your sector. Businesses should feel confident in testing knowledge of sector-specific AML risk before settling on a provider.

4.2 Who is best placed to inform the risk assessment?

The key point is that businesses need not reinvent the wheel and can use the existing risk resources available to collect information on which to base an understanding of their risk landscape. If the customer onboarding process is conducted by a central unit, this will be one of the initial resources in understanding both inherent risk and control effectiveness. Where there is a wider AML or financial crime compliance team, this will likely be a great resource in assisting with an understanding of the trends. One starting point is to understand the AML risk according to management information, facts and figures.

Some preliminary questions include the following:

How many current clients does your business have?
Is there a breakdown by business line or area?
How many clients were opened in each area in the last year/three years/five years?
How many current clients are individuals and how many are corporates?
How many of the corporate clients are listed entities? Where are they based?
How many clients are longstanding or repeat instructors/users?
How many clients are subject to enhanced due diligence (EDD)/standard due diligence/simplified due diligence?
How many PEP clients does the business have? Those with a sanctions connection? Severe adverse media hits? How many clients have a connection to a high-risk jurisdiction?
Are instances of remote clients recorded? Are these clients treated as higher risk?
Does the business keep a list of breaches? Is there an AML log to flag up AML-related issues?
How many internal and external SARs have been made by the business in the last year/three years/five years? What are the common themes? What trends can be identified from those SARs?
What transaction monitoring alerts have been generated? For larger businesses, what is the algorithm and how is it calibrated? What trends or themes can be identified from alerts and their disposals?
When was the last AML audit (or audit with an AML component)? What do the findings say?
What AML training does the business offer? Is it compulsory? What was the take-up rate?
Does the business keep a log of business rejected on the basis that the client was unable to satisfy AML requirements at onboarding or in the course of the relationship?
Does the business’s regulator require an annual AML ‘return’ type document in which some of this information may already have been collated? If so, this may also assist.

In addition to the ‘facts and figures’ type information above, it may help to ask wider questions about the management of risk in the business more generally, such as the following:

Is there a risk or other AML committee in the business? If so, are the meeting minutes available?
Does the board discuss AML issues? If so, are the meeting minutes available?
What does the MLRO’s annual report say? What discussion occurred at senior management level as a result of the report? Was it approved?
Do the MLCO and MLRO meet regularly? If so, what do they discuss? Are the meeting minutes available?
What do the business’s AML policies, controls and procedures say? Are they well drafted, comprehensive and accurate?

Not all businesses will be able to answer these questions. Collecting business and management information will be key to informing the risk assessment; therefore, if it is not possible to obtain these statistics, the business should consider what changes need to be made to the client onboarding process and record keeping so that in the future, they can be retrieved and analysed.

One option for smaller businesses where not all this data is centralised is for the MLRO to keep a log of all EDD approvals, which is searchable by type (eg, sanctions, severe adverse media, PEP). This will allow such information to be used in order to inform the inherent risk analysis. Even where this information is not currently recorded, businesses should consider introducing it during the risk assessment process so that it can be included as a control and the results used in the next annual risk assessment.

4.3 Who in the business can help?

Sometimes, and particularly in larger businesses, it can be a daunting task for the risk assessor to fully identify the fundamentals of each business area. It is important that the day-to-day work of each team is properly understood – not just with reference to the ‘products and services’ aspect, but for all five risk areas outlined above. One team may be entirely open to new technologies, while another may deliver services in a very traditional form. If this information isn’t being identified through engagement with the business, the risk assessment will be missing vital data about the business’s ML/TF risk profile.

The risk assessor should not be afraid to approach senior management for information. Senior managers are a good place to start, and should be able to point to others in the team with more time if they cannot engage in detail. Interviews can be valuable, but questionnaires are another useful method of gathering information which can be followed up with telephone interviews or face-to-face meetings for the highest-risk areas.

Be creative. In the case of a law business, for example, if the business utilises professional support lawyers, they may be under less pressure in terms of client work and will likely be another useful resource – they will often possess a deep understanding of their business and should be able to give a good overview of the work undertaken within the individual teams. For a bank, speaking to a customer onboarding analyst or a member of the transaction monitoring team may bring a fresh perspective in terms of understanding the risks from the bottom up.

4.4 Using the MLCO to help with engagement

It may be difficult to gain traction in the business when conducting a risk assessment – and this can sometimes be even more challenging when the risk assessment remains in-house. If client-facing employees are busy, they may feel unable to set aside time to engage with the risk assessment process. Similarly, supervisors may not understand the overall picture and the need to offer support and resources in preparing the assessment. Tone from the top is essential in changing to a culture where ML/TF risk is taken more seriously and afforded greater prominence, and this is certainly what the regulator will expect. In accepting the appointment as a board-level member with responsibility for compliance with the regulations (including regulation 21(1)(a)), the MLCO has assumed legal responsibility in this area and is personally accountable.

They will likely be keen to demonstrate the importance with which the risk assessment is to be treated. Consideration should be given to whether the MLCO can help by sending communications (whether business-wide, specific to customers or products, or to individuals) requiring engagement and assistance. The risk assessor should also set regular appointments during the process to discuss progress with the MLCO and ask for help where difficulties arise in obtaining information.

4.5 Finally… Presentation

Both the regulator and the business’s fee earners need to understand the business’s ML/TF risks – if not at a glance, then without having to wade through reams of paper. Businesses should be prepared to present their risk assessments in simple formats that make it easy for readers to visualise where the risks are highest – for example, by using colours and figures to illustrate the risks in a clear way.

How-to guide: How to conduct an organisation-wide assessment of money laundering and terrorist financing risk (UK)

Introduction

Section 1 – Overview

Section 2 – Nature of an ML/TF risk assessment

2.1 Who needs to conduct a risk assessment?

2.2 How to conduct an ML/TF risk assessment

Section 3 – The five areas of ML/TF risk

3.1 Customer risk

3.2 Location/geographic risk

3.3 Products and services risk

3.4 Transaction risk

3.5 Delivery channel risk

Section 4 – Practical guidance for assessing money laundering and terrorist financing risk

4.1 Who should undertake the risk assessment?

4.2 Who is best placed to inform the risk assessment?

4.3 Who in the business can help?

4.4 Using the MLCO to help with engagement

4.5 Finally… Presentation

Additional resources

Related Lexology Pro content

How-to guides:

Checklists:

Filed under

Topics

Regulatory compliance

Anti-money laundering

United Kingdom

White Collar Crime

Compliance Management