Conduct an AML/CTF Risk Assessment
What is an AML/CTF Risk Assessment?
An AML/CTF risk assessment is the process of identifying risk and developing policies and procedures to minimise and manage that risk, whilst assessing the likelihood and severity of facilitating ML/TF through your service. Part A of your AML/CTF program requires the development of a framework to identify, prioritise, treat, control and monitor risk exposures.
It is important to consider the likelihood and severity of facilitating ML/TF through your service when evaluating the risks.
Likelihood x Severity = Risk Score
Part A of your AML/CTF program requires the development of a framework to identify, prioritise, treat, control and monitor risk exposures. Keep in mind, elements of Part A also inform the risk-based approach that is applied in Part B.
After enrolling with your FUI (for Australia this is AUSTRAC), conducting an AML/CTF risk assessment is the first step towards achieving compliance. The AML/CTF program constitutes Part A of your AML/CTF obligations.
An AML/CTF Program establishes the operational framework for a reporting entity to meet its compliance obligations under the AML/CTF Act. It builds a toolkit for identifying and treating the ML/TF risk a business faces. The program documents the policies, procedures and controls which aim to mitigate and manage these risks.
There are two components to an AML/CTF program;
- Part A (general) of an AML/CTF program covers identifying, managing and reducing the money laundering and terrorism financing risk faced by a reporting entity.
- Part B (customer identification) covers a reporting entity's customer due diligence (CDD) procedures.
Conducting a ML/TF risk assessment is necessary for Part A of your AML/CTF program
What must be included?
Assess the ML/TF risk posed by all:
- Designated services, before the entity introduces them to the market.
- Methods of delivering a designated service, before the entity adopts them.
- New or developing technologies used to provide designated services, before adopting them
- Changes in the nature of the business relationship, control structure or beneficial ownership of its customers.
Things to consider:
Your AML/CTF program policies and procedures must be in writing, this is in addition to your reporting obligations to AUSTRAC.
Your AML/CTF program must have oversight from the board and senior management on an ongoing basis, your nominated AML compliance officer is a facilitator of this information sharing.
Regular Updates and Reviews
The AML/CTF program must be subject to independent reviews and updated regularly in accordance with the risk-based approach. We cover this procedure in more detail in Review your AML/CTF Program
Identifying your AML/CTF Risk Factors
Inherent Risk - AML/CTF Controls = Residual Risk
Assess the risk your business has of facilitating ML/TF. bronID assesses the risk of ML/TF to your business by helping you to measure the following risk factors.
- Customer Risk
- Product Risk
- Delivery Risk
- Jurisdiction Risk
- Operations Risk
- Environment Risk
How you categorise your customers into low/medium/high risk-buckets and what you do with the sensitive PII information a customer shares during the KYC verification process are important processes to outline when conducting an AML risk assessment, identifying your ML/TF risk and building your AML/CTF program. For example, a customer who is PEP (politically exposed person) should be considered high risk and therefore receive additional monitoring and checks to counter and minimise the ML/TF risk posed from serving this person.
bronID can dynamically update risk scores. Create and Update the ML/TF Risk Profiles of Your Customers to meet the recommendations from recognised international organisations when assessing customer risk. Allowing an individual to use the same digital identity, bronID, to verify on a variety of financial services will also contribute to a better, more complete risk profile for your customer.
In addition to this, it is important to do PEP and Sanctions checks for each customer. This should also influence which risk bucket you place each customer in. Customer identification influencing the risk is explored further in Know Your Customer.
The type of product or service provided, for example, exchanges versus banking and what is the justified risk of each of these products independently and as a suite. Once you release a product which requires reporting to AUSTRAC, you are inviting regulatory risk for non-compliance in addition to the business risk.
A complete list of the various product/service offerings should be compiled and assessed for their vulnerability to money laundering and terrorist financing.
Considering that bronID is a solution specifically tailored for AML/CTF compliance we interact with a variety of products and services, from banks to cryptocurrency exchanges, gaining expertise on how each product/service is assessed for ML/TF risk, this knowledge can help inform your assessment.
The method of delivery of your service. Whether that be face to face, over the counter (OTC), through an online market, web application or app. While face to face offers less risk to facilitate money laundering than digitally, most financial services today are online services.
The bronID digital identity system is tailored to synergise with an array of financial technology services. Therefore building towards an open standard of AML compliance for all online delivery methods and reduce the overall risk of these services by standardising AML/CTF best practice.
An AML/CTF program is able to identify, categorise and attribute an ML/TF risk score of providing services within a particular jurisdiction. These being, low (requires monitoring), medium (concern) and high (primary concern). To determine these factors you will need to asses the political, economic, legal, cultural and government structures and standards in each country.
There are a variety of international organisations which assess the jurisdiction risk of ML/TF. Some focus on the countries overall risk others provide information on assessing the risk posed by PEPs and sanctions pose within these jurisdictions. There are a few factors you should consider when assessing your jurisdiction risk when providing service internationally.
These are the risks of ML/TF your internal business activities create. For example, assessing the risk the employees who are performing KYC verifications is one aspect of operations risk. Operation risk is also influenced by what internal policies and procedures are in place to perform AML/CTF controls.
The risk environment your designated service is exposed to. For example, digital currency exchanges are more vulnerable to risks related to cybercrime and hacking.
Regulatory risk is associated with breaches to the provisions of the AML Act and rules and regulations. The regulator's measures to detect, deter and remedy non-compliance will be commensurate with an entity's perceived risk rating.
Factors which place an entity at higher risk of non-compliance are:
- Customer verification not done properly;
- Failure to train staff adequately;
- Not having an AML/CTF program;
- Failure to report suspicious matters;
- Not submitting an AML/CTF compliance report; and
- Not having an AML/CTF compliance officer.
Minimising these risks is directly related to the policies and procedures outlined in your AML/CTF program and whether these are implemented, reviewed and reinforced correctly.
Customer Identification is covered predominantly by Part B of the AML/CTF Program and will be covered in more detail in Know Your Customer.
Reporting and Record Keeping are facilitated by AUSTRAC online.
Implementing the AML/CTF program is covered in Design your AML/CTF Program.
The effectiveness of your AML/CTF program is to be assessed by an independent reviewer, covered in Review your AML/CTF Program.
When it comes to quantifying your ML/TF risk the most common method is to attribute a risk score by assessing the likelihood of a non-compliance event occurring against its severity or impact.
Likelihood x Severity = Risk Score
When it comes to money laundering and terrorist financing, the severity of when a designated service is non-compliant can be drastic. This emphasises the importance of taking a risk-based approach to regulation, while it shouldn’t be expected for businesses to have a zero-risk tolerance, minimising the risks which have the highest risk level/score is a good start to achieving industry best practice compliance.
Risk treatment represents the processes in place which aim to minimise and manage the risks, apply strategies, policies and procedures. Create a risk management worksheet which dictates the treatment/actions taken to minimise both business and regulatory risk.
Expressed as an acceptable or unacceptable level of risk.
Some questions you may ask yourself:
- What risks will the business accept?
- What risks will the business NOT accept?
- What risks will the business treat on a case-by-case basis?
- What risks will the business send to a higher level for a decision?
Upon completing an AML/CTF Risk Assessment, you are ready to move forward with your AML/CTF program.