Despite stringent AML rules and regulations, money laundering poses a threat to all businesses. A risk-based approach to AML aims to mitigate this threat.
The cycle of criminals and terrorists funding activities through Money Laundering and Terrorist Financing (ML/TF) is continuous. They use their ill-gotten funds to influence markets and policy, expand and diversify their activities, and spread corruption and instability through commercial, financial, and political institutions.Governments have instituted Anti-money Laundering and Counter-terrorism Financing (AML/CTF) regimes to combat this cycle. The consequences for perpetrators include severe fines and imprisonment. A risk-based approach (RBA) to AML/CTF is central to implementing rules effectively, and it involves a three-step process:
The RBA requires AML-regulated individuals and entities to identify, assess, and mitigate ML/TF risks to which they are exposed. This approach allows for the allocation of resources to higher-risk areas.
AML-regulated individuals and entities need to identify potential ML/TF risks to ensure effective targeting of resources.
It is important to remain informed about the mechanisms commonly employed by ML/TF perpetrators and how these may affect your business and the sector in which you work.
It is also imperative that you document everything, including your thought processes. Identifying risk is not a one-off process – it is simply a snapshot of the situation. As information constantly changes, it should always be updated to remain relevant.
Finally, identifying risk should never be a 'check-box' exercise. However, several starting points may make risk identification (and subsequent assessment and mitigation) of ML/TF practices easier.
For instance, breaking the process down into separate questions:
The first thing to assess is whether the customer is who they say they are.
Ideally, you would meet the customer in person, check their government-issued photographic ID and proof of address and ensure that this aligns with your understanding of the customer.
Identification is just the first step in knowing your customer. The next thing to establish is whether the customer is a politically exposed person (PEP). A PEP is someone who holds or acts in a prominent public position that they could abuse for personal gain or commit other serious crimes, such as bribery and corruption.
Be aware that dealings with PEPs are not necessarily banned but deemed to involve higher risk.
If the customer is a business entity:
Whether the customer is an individual or an entity, it is necessary to check if they are associated with people on a recognised sanctions list and/or the subject of negative publicity.
It is also important to use the 'who is the customer?' process to establish the business rationale of the customer, as this will help down the line.
At this stage of the process, it might be worth determining the customer's source of wealth. However, this determination is only necessary if a few red flags pop up or the customer poses a higher risk.
When assessing the risk associated with a service, it's important to ask, 'why has the customer decided to come to us?'. Is this a service your company normally provides, and are you sufficiently skilled?
Certain sectors pose higher risks, and it is important to be aware of whether your sector falls into this category. Generally speaking, the sector's levels of transparency and anonymity correlate with risk.
The National Risk Assessment includes many higher-risk services. You may glean other clues from sector-specific guidelines published by the relevant regulatory body.
Higher-risk services may include:
When providing a higher-risk service, it is important to look out for any red flags associated with the customer's behaviour. For example, is there a consistent pattern in the type of services the customer requires, and are the types of services they look for consistent with their business rationale?
Certain jurisdictions pose a higher ML/TF risk level than others. It may sound obvious, but it still needs to be said that a customer or a service will pose a higher risk if associated with a higher-risk country or jurisdiction.
Note that there only needs to be an association with the high-risk jurisdiction to trigger a greater need for scrutiny - it does not need to be a direct link. For example, if a customer subsidiary's base is in a high-risk jurisdiction, you may need to dig deeper. This is especially true if the funds move through an entity in a high-risk jurisdiction.
You should also know where a customer is in your jurisdiction. For example, suppose a customer is in a different city, county or province. In that case, you may query why the customer has come to you instead of a similar service provider closer to home.
You should ask yourself whether any transactions or dealings with the client could be hidden or anonymised and whether your actions could assist with that activity. When looking at the risk of transactions, you should consider the whole picture.
A broad view refers to the business activity and rationale of the customer, so you can assess whether the relevant transactions make sense. Understanding the source of funds (and the source of wealth in more suspicious transactions) is fundamental to this process.
Other transactional risk factors are associated with:
Cash transactions are difficult to trace by nature, so look for invoices and official receipts to prove these transactions. Certain wire transfer services that are notoriously hard to track should also set off alarm bells.
When dealing with established cryptocurrencies and transactions involving non-fungible tokens (NFTs), you will generally be able to get a snapshot of the blockchain or at least a list of transactions that give you a clue to the source of funds.
Furthermore, it would be best if you examined any transactions involving payment to unrelated third parties in more detail.
There are two main considerations here that tie into the other risk factors. These considerations include whether the service will be:
Risk mitigation is another thing to consider when planning service delivery. If a customer poses a higher risk or if something appears to be suspicious with some part of a service, it is always possible to onboard the customer by providing less risky services.
In doing so, you can build a relationship with the customer. You can use the ongoing relationship to vet the customer for higher-risk services.
After identifying the possible ML/TF risks, it is necessary to assess those risks formally. It is important to understand that although a fundamental part of the RBA involves gathering quantitative and qualitative information, this is simply the start of the process. Without proper analysis of the information and a judgement call, the information has no function.
Assessing risk requires determining how the ML/TF risks identified are likely to pan out. This process involves looking at all the available information and judging the likelihood of these risks eventuating and the impact on the transaction, individual customer relationships, the business, the sector in which you work, and the economy.
The main purpose of conducting a risk assessment is to challenge the facts in front of you. To achieve this, you may need to cross-reference facts, double-check consistency and conduct additional research.
This does not mean that everyone working for an AML-regulated entity must become a detective. Rather, if red flags appear when conducting due diligence, they should be examined and acted on, not ignored.
ML/TF risks generally fall into the category of low, medium or high:
Low risk - a markedly lower chance of ML/TF occurringIt is best practice to assess risk at all levels of an AML-regulated business. A full assessment means that you should perform risk assessment at the following levels:
Each of these assessments should be guided by and fed into each other. It is also best practice to consider risk assessments performed at the following levels:
A company's Business Risk Assessment (BRA) is a living document that forms part of its AML/CTF Policies and Procedures. The BRA should be constantly reviewed and redrafted if necessary.
It helps to remove some of the hassle for individual employees as it already provides an assessment of ML/TF risks that may affect the business. It also looks at business activities relating to the wider economy, considering the most up-to-date domestic laws, rules and guidance.
You should assess all customers of an AML-regulated business individually. It is also wise to examine the customer relationship in line with the company's BRA, internal AML/CTF policies, current affairs, national laws, and guidance. This process is referred to as a Customer Risk Assessment (CRA).
This assessment often uses the information gathered during the risk identification process, including information derived from Customer Due Diligence (CDD) at the onboarding stage. It is important to remember that CDD is just one tool that can be used to complete a CRA, and the CRA often helps to inform the level of CDD that needs completing.
Like all other parts of the RBA, CRA is an ongoing process. Still, the ideal time to start the process is just before establishing the relationship to ensure more control over risk mitigation. At that stage, neither party has fully committed themselves to the relationship.
Always bear in mind that the cost of losing a customer is always less than what may be associated with losing the whole business.
As you have probably noted, each level of assessment will affect every other level of assessment. Therefore, it is important to ensure that you document and communicate changes to risk resulting from an assessment to all relevant parties. Don't panic; for most of us, this means keeping proper records (for at least five years), reporting when appropriate and keeping in touch with the MLRO and/or Legal/Compliance.
Simply identifying and assessing risk on their own would have little practical effect on reducing ML/TF activities if you don't take action. All AML-regulated businesses are obliged to report suspicious activities or transactions to the relevant Financial Investigation Unit of the national authority.
Depending on the jurisdiction, reporting happens through a formal Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR). This obligation extends to a duty to report any suspected predicate offences.
Fulfilling the duty to report should happen as soon as the suspicion arises, so long as the suspicion is reasonably well-grounded. AML/CTF reporting should never be used to harass or defame others. Where suspicion is well-grounded, don't look to investigate further before reporting. Report it immediately and monitor the situation.
Given the interconnectedness of AML/CTF processes, the duty to report does not cease because you rejected the suspicious transaction or at the point that the customer relationship terminates. The duty to report suspicious activity is ongoing, and it applies irrespective of whether there is a continuing relationship with the potential subject of the report.
It is also important to remember that the duty to report goes hand in hand with an obligation to avoid doing anything that may tip off the potential subject of a SAR/STR. Even inadvertent tipping-off can have serious repercussions.
Although it is important to maintain strong communication lines, it is also important to limit the extent of disclosure. Avoid discussing suspicions with colleagues or even managers. Save the conversation for the MLRO.
Note that this does not stop you from asking colleagues for advice on how to perform your role more effectively. For example, asking for advice on the company's AML/CTF policies and procedures or how to best gather information through the CDD process.
Don't worry; you are not in this alone. Your company's MLRO and Legal/Compliance Unit should be your first point of call if you have any questions about identifying ML/TF practices. Their function is to keep informed about ML/TF practices and the best means to identify, assess and mitigate ML/TF risk.
If direct reporting puts the reporter in an uncomfortable or dangerous position, the reporter may use the whistleblower's hotline.
We've created a comprehensive AML roadmap to help you navigate the compliance landscape, supported by several financial crime prevention courses in our Essentials Library.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.