Risk assessments have been a part of the EU Anti Money Laundering landscape for some time now and while 4MLD brought to the fore the need to have documented risk assessments, they are by no means a new concept.
The issue is that with limited guidance or specific structures provided by the regulators on how to write such a document, firms often miss the mark with their risk assessments looking either at factors which are irrelevant to AML risk (such as credit considerations) or by simply not considering in enough depth the actual elements and objectives of a risk assessment.
Beyond this firms often fail to link risk assessments together in such a way as to make them useful, or they will develop an overall ‘business risk’ assessment which declares that the firm is low risk, ignoring that yes, on average it is low risk but that its cash handling business for the diamond trading client is probably an outlier. This sits neatly on a shelf next to the seldom used AML policy until next year, where it is diligently updated ahead of an audit.
So, here is the fscom guide to the common pitfalls of writing a risk assessment for your firm.
1. Silos are good for missiles or storing grain. They aren’t good for risk assessments.
Risks do not exist in isolation. Firms often produce a product risk assessment, then individually risk assess all of their customers, then consider the geographic risks – all as separate and wholly independent assessments. In reality a client’s risk should be viewed holistically; a high risk client using a high risk product is worth more scrutiny than a low risk client using a high risk product.
It is only by linking various factors together and considering the entire customer journey that truly higher risk situations will be spotted and mitigated. Firms should ensure that they have a method for compounding and spotting situations with multiple risk factors, including the relationship between these risk factors, it would not be unusual for a client incorporated in a high risk jurisdiction to have an ultimate beneficial owner (UBO) resident or national in the same jurisdiction.
2. Risks are specific and specific controls are needed
Understanding the risk of a client is far more than a formulaic high to low risk categorisation. A client who presents a risk on the basis of being a politically exposed person (PEP) has an entirely different profile to a client who is risky because of a high cash turnover. The controls needed to mitigate the risks are very different and so lumping both into a ‘high risk’ category and applying the same enhanced due diligence (EDD) methods defeats the point of the risk assessment and a risk based approach in the first place.
More granularity is needed to recognise the actual typology of the risk and to then to consider how to mitigate the specific risks posed. If, by the time we get to our transaction monitoring stage, we cannot tell from the risk score what risk we are monitoring for, well the whole exercise was a bit of a waste of time.
3. Keeping it relevant
As Deutsche Bank discovered in January of this year, to the tune of £163m, using out of date and flawed risk assessments can be as bad as not having one.
Geographic risks, especially, can change rapidly. For example, Denmark, which sits in the top 10 as one of the least risky countries according to the Basel AML index, was recently described by FATF as ’not having a national AML/CFT Strategy or policy’ and that the local FIU was ‘Hampered by its lack of human resources and operational autonomy’.
One would expect to see a change in the Basel risk assessment which reflect the country’s most recent evaluation. But this update will need to be ingested and handled by firms. Where such updates are handled by head office or by a central compliance team, or where updates are made only annually, this may take some time to filter down.
By way of another example, following the exposure of the Russian Laundromat money laundering scheme, it has been highlighted that the use of Scottish limited partnerships as a legal vehicle has a potential for high money laundering vulnerabilities. A firm’s risk assessment of this legal entity type will no doubt have changed on the basis of this new knowledge.
If an update to a risk factor is forgotten or delayed for some reason, a firm could be using an outdated list. This would certainly create a gap in the firm’s risk assessment process for both new and existing clients and leave a firm exposed to risks far outside their appetite.
Another risk is that firms will fail to update the risk assessment when a new product is launched or when other information becomes available, such as the most recent European Commission report into money laundering risks across products within the financial services sector, highlighting shifts in how criminals are using the financial system.
4. Mining for feedback
Risk assessments are a living document and should respond to changes in both the customer relationship and in the wider environment. For example, a firm may calculate a client’s initial risk assessment on the basis that the firm will be sending payments to the EU. If after a few trades they find out that the client is paying Mali and Cambodia, well clearly the firms profile is wrong and so too is the risk score.
Outside of this, where a firm finds that all of its clients are considered high risk when they are opened, but that none of the subsequent investigations or account reviews find any suspicious activity, well perhaps then the risk assessment is too harsh or is misclassifying clients as risky when there is limited risk involved.
Assessments should be reviewed and re-calculated based on the feedback and usefulness and accuracy of the data available and on the output they generate. Systems that are demonstrably producing poor results should be amended.
5. Risk assessments need to do something
Doing the risk assessment is not an end in itself. The outcome of the risk assessment should lead to a next step that is appropriate given the level of risk identified.
Often firms have risk assessments that state that a particular client is risky, but then cannot clearly demonstrate how that changed how they monitored that client. Or for products, they will identify a weakness in their AML programme but cannot explain how they sought to close the risk gap identified.
If a risk is identified, you need to do something. Apply more transaction monitoring, take additional due diligence steps or possibly even close that product if it turns out that it is more attractive to criminals than an open vault. Whatever action is taken has to be clearly rationalised, documented and then reviewed by the MLRO or senior management.
There is no excuse for not reviewing customers periodically, particularly those with higher risk factors, what can stop many firms monitoring the risk of their clients is that there is simply no field in their CRM to hold the risk score. It is calculated as part of the application and then left as a file somewhere, possibly as a screen shot of an excel sheet.
Suffice to say, having the risk assessment and then not using it might be worse than not having it, as it is almost turning a blind eye to the risk.
Conclusion
If your firm is about to re-apply for its licence under PSD2, you will have to send the FCA your risk assessment policies and procedures (if you haven’t already). If you think that your risk assessment might not quite pass muster or your AML manual needs a post MLRs 17 shake up and would like us to come and assist, please get in touch.
Our AML experts have decades of experience in mapping, gapping and capping (map what controls you have, discover the gaps, fill the gaps!) AML risks and can assist in reviewing your processes. If you feel that your firms current risk assessment could use a refresh, give us a call.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.