Chapter 28 AML: Risked Based Approach Flashcards
28.1 The role of the risk-based approach
In carrying out the risk assessment required, a relevant person should consider risk factors to customers, the countries or geographic areas in which it operates, its products or services, its transactions and its delivery channels. Having a risk assessment does not prevent firms from engaging in business relationships with higher-risk customers. Instead it should help to effectively manage and prioritise their response to MLTF risks.
The risk-based approach is fundamental to satisfying the FATF recommendations, the EU directive and the overall UK MLTF regime. It requires governments, supervisors and business alike to analyse the MLTF risks they face and make proportionate responses to them. This approach recognises each risk is different and it requires evidence-based decision making to better target risks. The approach does not exempt low risk clients and services from CDD, but the level of CDD is less.
28.2 the role of senior management
Senior management is responsible for managing all risks faced by a business. They should analyse all MLTF risks and their natures and severity identified, to create a risk profile. When a risk is identified, the business must implement appropriate procedures to manage it, the procedures should be evidenced and documented to monitor effectiveness. The risk analysis can be conducted by the MLRO but must be approved by senior management. The risk analysis must be refreshed regularly by periodic views, the frequency depending on the business environment and the MLFT risks. Also whenever events impact MLTF risks, risk analysis should take place. A fresh analysis may require AML policies, controls and procedures to be amended.
28.3 Designing Risk Analysis
When designing an analysis process the business should look at its clients and the markets as well as the business, also consider factors that lower risks as well as those that increase them. Businesses should consider the findings of the most recent UK National Risk Assessment, together with any guidance issued by the relevant anti-money laundering supervisory authority.
Additional safeguards for handling client money – for client accounts you must be aware of the risks associated with handling client money and should make sure you know the source of the funds, the reason why the client’s money is being processed through your client account and consider whether there might be money laundering implications if the client wants money paid to a third party. For a client’s own bank account, it is essential to have a clear written agreement with the client. Your authority to access the account should be in writing to the bank and acknowledged by them. When making payments for a client you should ensure all payments are legitimate and your services are not facilitating money laundering. Where applicable make sure there is an authorisation process for payments of your own fees to ensure the client cannot accuse you of unauthorised payments. Members should be vigilant and ensure payments are made to legitimate bank accounts.
Risks should be split into categories such as client, services and geography. Risks do not always fit under one heading but that should not prevent them from being considered properly and a business should not look at individual risks in isolation. When two threats are combined, they produce a greater total risk.
28.4 the risk profile of the business
A business with a simple client base and limited portfolio of services will have a simple risk profile, a single set of AML polices, and procedures may be in place. Some businesses will find their risk analysis reveals different MLTF risks in different aspects of their business. A risk analysis allows resources to be targeted and procedures tailored. When a business has different procedures, it should consider how to deal with clients, such as: a new client who is served by two or more parts of the business with different AML policies and an existing client who is set to receive new services from a part of the business with distinct policies and procedures. The risk-based approach can consider the experience and knowledge of the different commercial environments of the business.
28.5 How procedures take account of the risk-based approach
Before establishing client, relationships or accepting an engagement, a business must have controls in place to address the risks arising from it. The risk-based approach should be easy to understand and easy to use for all relevant employees, flexibility should be in place to adapt to unusual situations. The nature of the AML policies depends on the scale and complexity of the business, the geographical spread of client operations and the extent to which operations are linked to other organisations. Businesses should have different client risk categories such as low, normal and high.
Businesses are expected to undertake monitoring of the client relationship, with levels of monitoring varying depending on the MLTF risk associated with individual clients. Considering key risk categories, a business may be able to draw up a simple matrix to determine a client’s risk profile. In addition, businesses should consider the nature of the service being offered to a client and the channels through which the services are being delivered.
28.6 the categories of risk - high/low customer risks
Client risk is the overall MLTF risk posed by a client based on the key risk categories, as determined by a business. Areas of risk for customers are: undue client secrecy, unnecessarily complex ownership structures, businesses activities (cash based, cryptocurrency, crowd funding, money service bureau, arms dealers and property transactions with unclear source of funds), politically exposed person, one-off transactions, rapid rate of turnover, clients taking on work outsider their normal range of goods, clients involved in transactions that do not make commercial sense, high net worth individuals, un-cooperative clients, clients with criminal convictions and are on the sanctions/terrorist list, clients with inconsistent transactions, clients with multiple bank accounts or foreign accounts for no reason and clients who changed professional advisers a number of times in a short space of time.
High risk factors for customers are:
• the business relationship is conducted in unusual circumstances
• the customer is resident in a geographical area of high risk
• the customer is a legal person or legal arrangement that is a vehicle for holding personal assets
• the customer is a company that has nominee shareholders or shares in bearer form
• the customer is a business that is cash intensive
• the corporate structure of the customer is unusual or excessively complex
Low risk factors for customers are:
• the customer is a public administration, or a publicly owned enterprise
• is an individual resident in a geographical area of lower risk
• is a credit institution or a financial institution which is subject to the requirements in national legislation implementing the fourth money laundering directive as an obliged entity or supervised for compliance with those requirements in accordance with the fourth money laundering directive
• is a company whose securities are listed on a regulated market and the location of the regulated market
28.6 the categories of risk - high/low service risks
Service risk – this is the perceived risk that certain products or services present an increased level of vulnerability in being used for MLTF purposes. Businesses should carry out additional checks on these.
High risk factors for products, service, transaction or delivery channels are:
• the product involves private banking
• the product or transaction is one which might favour anonymity
• the situation involves non-face-to-face business relationships without certain safeguards
• payments will be received from unknown or unassociated third parties
• new products and new businesses practices are involved
• the service involves the provision of nominee directors, shareholders or shadow directors or the formation of companies in a third country
Low risk factors for products, services, transactions or delivery channels are:
• a life insurance policy for which the premium is low
• an insurance policy for a pension scheme which does not provide for an early surrender option and cannot be used as collateral
• a financial product or service that provides appropriately defined and limited services to certain types of customers to increase access for financial inclusion purposes in an EEA state
• a product where the risks of money laundering and terrorist financing are managed by other factors such as purse limits or transparency of ownership
• a child trust fund
• a junior ISA
Areas of risk: Products or services
• investigations work where there might be a criminal element
• aggressive tax planning
• property advice including VAT and SDLT
• insolvency services
• investment business, including investing in cryptocurrencies
• income through crowd funding
• trust and company services
• payroll services
• probate and estate management
• tax and accounting services where there are concerns that records are falsified
• products may favour anonymity
28.6 the categories of risk - high/low geographic risks
Geographic risk – this is the increased level of risk that a country poses in respect of MLTF. When determining the risk factors to consider may include the level of corruption, criminal activity and the effectiveness of MLTF. Businesses should use publicly available information when assessing the levels of MLTF.
High risk factors geographic risk –
• countries identified by credible sources as not having effective systems to encounter MLTF
• countries identified by credible sources as having significant levels of corruption or other criminal activity
• countries subject to sanctions, embargos or other measures issued by the EU or UN
• countries providing funding for terrorism
• countries which have been designated by the UK government as proscribed organisations under the 2000 Terrorism Act, or by other countries, international organisations or the EU as terrorist organisations
• countries identified by credible sources as not implementing requirements to counter MLTR that are consistent with the recommendations published by the Financial Action Task Force in February 2012 and updated in October 2016
Low risk factors – geographic risk
• in an EEA state
• a third country which has effective systems to counter MLTF
• a third country with low levels of corruption or other criminal activity
• a third country which has requirements to counter money laundering and terrorist financing that are consistent with the revised recommendations published by the financial action task force in Feb 2012 and updated in Oct 2016
28.6 the categories of risk - sector risk and delivery channel
Sector Risk – these risks are associated with certain sectors are more likely to be exposed to increased levels of MLTF. Businesses should consider the sectors in which their client has significant operations and take this into account when determining a risk profile.
Delivery channel – certain delivery channels can increase the MLTF risk, because they can make it more difficult to determine the identity and credibility of a client. delivery risk can be increased where services/products are provided to clients who have not met face-to-face or where a business relationship is conducted through an intermediary. Members should consider if the risks determine an increased level of CDD. Providing services to clients online without meeting them, may increase the risk of being used for ML or TF.
28.7 The importance of documentation
Businesses must be able to demonstrate to their anti-money laundering authority they are able to mitigate MLTF risks. The assessment needs to be documented and available to their anti-money laundering supervisory authority on request. You need both a written risk assessment of your practice and written policies and procedures. If requested supervised members must provide to their supervisor the risk assessment, the information on which the risk assessment was based, and the steps taken to produce the risk assessment. The steps to produce the document are:
• consider the risks based on the different areas of business and consider the risks relating to its customers, geographic areas, products or services, its transactions and its delivery channels
• consider information provided by the CIOT in its role as an AML supervisor and the ATT as an AML supervisor
• having identified risks move on to access each risk and the likelihood of them occurring
• set out in writing the risk assessment of the firm and draw a conclusion in relation to a high, medium or low risk
• ensure records are maintained of the steps, ensure the risk review is updated when risks change, consider revisiting it to ensure it is appropriate at least once a year
• use the risk assessment to inform what policies and procedures are required to manage risk in the firm. Consider your procedures and controls in place and make sure the staff are aware of them and understand them
