A critical component of any AML/CTF(1) framework is a robust business wide risk assessment (BWRA). This is a regulatory requirement under the MLRs(2) and the initial stone from which an EMI’s or PI’s proverbial anti-financial crime wall is constructed. The foundations need to be solid, or the entire structure becomes vulnerable.
The FCA, in its publication ‘Our Strategy: 2025 – 2030′, has emphasised the importance of thorough risk assessments. The strategy highlights key concepts of ‘trust’ and ‘risk’, underscoring the need for firms to develop ironclad AML controls. Further, the regulator, in a rejection of Zeux Limited’s application for registration as a cryptoasset exchange provider under the MLRs, noted that the applicant firm displayed multiple significant failures in the firm’s AML controls and fell, in the FCA’s words, ‘well short of legislative requirements.’ Among the numerous described failings, the FCA noted that the application showed a ‘failure to understand, identify, and document risks’, placing its criticism of the BWRA within the following five key categories.
- Failure to note all the risk factors.
- Failings in BWRA methodology.
- Failure to understand how to perform a BWRA.
- Failure to understand, identify, differentiate, and document risks.
- Failure to consider the National Risk Assessment (NRA).
Across the five categories, the regulator documents 19 specific areas of concern.
Given that a substantive focus of the application rejection is concentrated upon the BWRA, and with the regulator stressing concepts of risk assessment and trust within its five-year strategy, the question one may ask is: what should my BWRA look like?
Well, let’s use the FCA feedback categories from the Zeux Decision Notice as our jumping off point to answer this question.
What went wrong: FCA’s five key BWRA failings
1. Failure to note all the risk factors
The first step to any risk assessment, or in building anything, is surveying the land. In the BWRA context, this means identifying every relevant risk your business may face. In the case of relevant firms, under Regulation 18 of the MLRs, your BWRA must assess risks related to:
- customers;
- countries or geographic areas in which the entity operates;
- products or services;
- transactions; and
- delivery channels.
Additionally, while not required to be within the BWRA specifically, the firm must also take appropriate steps to identify and assess the risks of proliferation financing to which its business is subject.
Our first step, therefore, is to document all of the inherent risks posed by the subject firm’s business model and operations across these six categories. For example, our wide category for ‘Customers’ may include the inherent risk that we unknowingly onboard a politically exposed person (PEP), or, for ‘Countries’, this may be the risk that the entity onboards a client subject to sanctions, etc.
2. Failings in BWRA methodology
This is the big takeaway that can be summed up in one sentence: a methodology is not just a five-by-five matrix.
Let us explore that summation. When designing your methodology, it must include both quantitative and qualitative metrics. If your assessment has a five-by-five likelihood and impact rating system (the industry standard), you must be able to attest and show evidence of the sources used to reach this scoring, and how calculations were determined.
For example, if you score the likelihood of a PEP being onboarded as a ‘3’ ‘Reasonably Likely’, the BWRA must explain how that score was reached – e.g. through customer profile analysis or onboarding trends. Similarly, if the risk that funds are sent to a sanctioned individual is a ‘1’ ‘Rare’, how was this determined?
3. Failure to understand how to perform a BWRA
Similar to our failings in methodology, entities must be careful that all calculations are accurate and that there is, in the words of the regulator, a ‘linear mapping of inherent risks, the applicable controls, and the residual risk rating.’ In other words, it must be evident, and track in a clear and linear fashion:
- what the inherent risk is;
- what its likelihood and impact is (uncontrolled);
- what its overall inherent risk rating is (uncontrolled);
- what controls are applied to the risk;
- assessment of how effective the controls are; and
- following controls being enacted, a residual risk rating.
4. Failure to understand, identify, differentiate, and document risks
Firms must be clear on what their risks materially are. In the Decision Notice, the FCA calls out how Zeux noted that ‘Transaction Monitoring’, ‘EDD Requests’, and ‘SARs’ were inherent risks. Similarly, PEPs were categorised as high, medium, and low by Zeux within the inherent risk scoring, however, the PEP risk would not have been known at this stage.
The primary takeaway here is that the noted risks cannot be ‘tickbox’ and cannot be templated. Your risks must be catered to your firm, to your business model, and to the money laundering, terrorist financing, and proliferation financing risks that your firm may individually face.
5. Failure to consider the National Risk Assessment (NRA)
Finally, it is a regulatory requirement to consider the information made available by the UK National Risk Assessment (NRA), which outlines current threats and trends in money laundering and financing.
Regular inspections and maintenance
Constructing your BWRA isn’t a one time project, it is an ongoing commitment. Regular reviews, updates and maintenance ensure your AML/CTF compliance remains strong and adaptive.
It will enable your firm to have a living assessment that is an accurate representation of pitfalls that could lead to your firm enabling financial crime and, possibly, paying the price for this via regulatory enforcement or via mandatory reimbursement (such as that for APP fraud).
At fscom, our expert audit and advisory teams work at the front line of anti-financial crime and know what a high quality BWRA looks like and, more importantly, how one should be built to last.
(1) AML/CTF: Anti-Money Laundering/Counter Terrorism Financing
(2) MLRs: Money Laundering Regulations
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.
