Best Practice Guidance for AML and CTF risk assessments

All financial services firms in the UK are required to carry out risk assessments for Anti-Money Laundering (AML) and Countering Terrorist Financing (CTF). Yet a survey of AML audits reveals that some firms do not have risk assessments, and many that do, fail to record the rationale they adopted when arriving at their risk assessment.

Effective AML and CTF risk assessments are not rocket science. I have spent a material portion of my career in senior AML roles in banks, as a Money Laundering Reporting Officer in a regulatory compliance function, and more recently at fscom advising companies on AML and CTF risk management. Based on these experiences, I recommend four simple steps that companies should follow to develop a best practice AML and CTF regime, that reflects your firm’s risk and importantly, is also proportionate.

In this blog, I will summarise these steps, and you can watch the full webinar here.


Why risk assessments matter

Firstly, why should you do an AML and CTF risk assessment? Well, it’s required by section 8 of the UK’s 2017 Money Laundering Regulations (MLR). This states: “A relevant person must take appropriate steps to identify and assess the risk of money laundering and terrorist financing to which its business is subject”.

There are two subsections of these rules that are important but often get overlooked:

  • MLR 18, subsection 6 says companies must retain “the information on which that risk assessment is based” so they can show their rationale for a decision to auditors if required.
  • MLR 17, subsection 3 (e) requires “the monitoring and management of compliance with and the internal communication of such policies, controls and procedures”.

This regulatory driver is important, but there is another good reason for companies to do a risk assessment. Money launderers and terrorist financiers test and probe to find financial service providers whose onboarding processes are more lax, and avoid those with strong procedures. So effective AML and CTF compliance reduces your risk of being targeted by money launderers and those trying to fund terrorism.


Step one: Defining inherent risk

The first step in a risk assessment is to understand and identify the inherent risks facing your firm. These will vary according to the firm’s size, range of products and services, customer base and where it operates. When I work with firms, I encourage them to capture their risks into the following broad groupings:

  • Oversight and governance
  • Financial crime training
  • Transactional risk
  • Management information
  • Product risk review
  • Suspicious activity reporting
  • Client risk assessment

You then need to take your long list of risks and assess which carry the highest risk for your company. To decide whether each risk is high, medium, or low, you should consider:

  • The probability of the risk happening
  • The impact it would have
  • The risk of a breach of legislation or regulation
  • The impact on your reputation
  • The likely extent of financial loss
  • The value of any potential funds laundered

Plotting each risk as red, amber, or green on an Excel spreadsheet will give you clear view of the relative risks.

Best Practice Guidance for AML and CTF risk assessments

That lets you easily pick out the most pressing risks that are proportionate to your business.

Step two: Tackling these risks

On occasions, having evaluated the inherent risks, firms will identify that some form of corrective action is required to remedy a highlighted shortfall in a procedure and / or control. Recording these on the firm’s AML & CTF risk assessment ensures they get visibility, and additionally any corrective actions can be tracked through to completion.

The next key task is for the firm to identify what controls are proportionate to bring the identified inherent risk down to a residual risk level that aligns to the firm’s AML & CTF risk appetite. Sometimes, it might be one control or a mix of controls that are required. The acid test for the controls is do they alleviate the probability of the risk happening, reduce any impact and ultimately see the risk rating reduce to an acceptable risk level for the firm.  

Another really valuable stage at this point is the creation of Key Risk Indicators (KRIs). This is a great tool for a firm to draft and monitor performance against. A firm’s performance against its KRIs should be a component that is captured in regular AML & CTF Management Information.

Step three: Test and review

It is not enough to implement what you think are the right AML and CTF controls, but firms should also monitor and test them regularly. Testing should ideally be undertaken  by someone with a degree of independence from the risk areas and use proportionate sampling.

22% of attendees at our recent webinar thought it constituted a crisis for a company if testing shows a control has failed. However, the importance of knowing that a control has failed is that  it is preferable  to know you have an issue so you can figure out how to resolve it, as opposed to be unaware or become aware of a control fail  when it is too late to deploy corrective actions

Testing should be done regularly, especially when the risk is higher. Companies’ sizes and services change over time – the level of risk does not stand still so nor should your testing and monitoring.

A good example of undertaking a practical monitoring test on controls would be a firm wants its exposure to high-risk clients to be less than 15% of its client base, regular monitoring will identify when the proportion reaches 12% and onboarding of high-risk clients can be halted, thus respecting a KRI for that firm.

Step four: Share your findings

Compliance teams should share risk assessments and audits with senior management and seek their buy-in. A Money Laundering Reporting Officer must escalate risk management information, seek approval for risk assessments and decisions, and ensure the Board and executive team understand the risks the firm face and can act when appropriate.

All of this is simply practical and effective compliance. But it is worth investing time in the process. It makes it more likely that you will capture the relevant risks, put in place the right controls, and be better positioned to give your board and regulators assurance.

More guidance on this process can be found in our previous blogs. If you would like further advice on how to improve your company’s management of AML and CTF risks, please do not hesitate to get in touch.


This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate. 

Related Posts