Putting together a Firm’s Money Laundering and Terrorist Financing Risk Assessment and the Independent Compliance Assessment

Risk Assessment and the Independent Compliance Assessment

Lee Werrell, Chartered FCSI, CEO of Compliance Consultant, explores the changes to risk assessment and the basic principles of the independent compliance assessment benefits effected by the new Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

Money laundering Reporting Officers operating within the regulated sector will want to be aware of and appropriately integrate these two essential elements into their broader anti-money laundering and counter terrorist financing policies and procedures.

As regulators reinforce their focus on the ideal discharge of money laundering obligations involving customer due diligence (CDD) by the regulated sector, the changes introduced by the new Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, known as the Money Laundering Regulations 2017 or “MLR 2017” are of great seriousness. This is particularly true for money laundering reporting officers within the definition of Part 7 of the Proceeds of Crime Act 2002.

Risk assessment by the firm or business
Some of the key changes achieved by regulation 18 of the MLR 2017 relates to the obligation on firms and businesses working within the regulated sector to identify and assess the risks of money laundering and terrorist financing to which its organisation is vulnerable. This is easier said than done, since as being able to undertake this task, the risk assessor ought to have a sound grasp of the methods which criminals can use the firm’s services when handling the proceeds of their crimes. Criminals may range from organised criminals who are laundering the proceeds of drug trafficking and the like to white collar criminals who have paid or received bribes, committed fraud, breached economic sanctions, or trifled a spot of insider trading. It follows that a firm or business operating in the regulated sector may be vulnerable to money laundering or terrorist financing in a myriad of different ways. Regulation 18( 4) of the MLR 2017 requires a written record to be made from all steps carried out by a firm in the identification and assessment of its money laundering and terrorist financing risk.

Pursuant to regulation 19( 1 )(a) of the MLR 2017, the firm’s risk assessment of its susceptability must dictate the development of its policies, controls and procedures which have been designed to mitigate and manage effectively the risks of money laundering and terrorist financing. What’s more, under the regulation 21(c) of the MLR 2017, having regard to the size and nature of the firm’s business, a firm is now required to establish an independent audit function with responsibility to analyze and evaluate the effectiveness of the firm’s policies, controls, and procedures, to generate suggestions about them, and to check compliance with them.

The high quality of the firm’s risk assessment is therefore critical, because when it pertains to an individual who is obligated to apply CDD measures, regulation 28(12) of the MLR 2017 requires the analysis of the money laundering or terrorist financing risk posed by the clients or customer or the transaction in question to show, amongst other things, the level of risk which their firm has identified in the firm’s risk assessment. In short, the generality of the risk assessment completed by the firm in respect of its susceptability to money laundering or terrorist financing serves to inform the particularity of risk assessment undertaken by the individual in relation to the customer or client concerned. The improvement of a risk profile for a customer or client is typically put together by dedicated professionals in the risk/ compliance function. The risk profile helps the individual on-boarding the customer in their assessment of whether any grounds for suspecting money laundering or terrorist financing has emerged during the Know Your Customer (KYC) process. Medium sized and small sized firms may not be able to afford this luxury and in this instance, it is vital that the firm’s risk assessment is adequately comprehensive to provide a sound framework for the staff’s risk assessment of a customer or client to be informed and effective.

How is the firm’s risk assessment to be made?
In executing the risk assessment a firm must take into account risk factors relating to its clients, the countries, or geographic areas through which it functions, its products or services, its transactions, and its delivery channels. But how is the firm to know the nature and intensity of the risk posed by these risk factors? The MLR 2017 consider that the firm may be helped by taking into consideration information provided by the supervisory authorities. Regulation 17( 9) of the MLR 2017 offers that if information from a risk assessment completed by a supervisory authority would support a firm operating in the sector to accomplish its own money laundering or terrorist financing risk assessment, the supervisory authority has to, where suitable, make that information easily available unless to do so would be irreconcilable with restrictions on giving out relevant information under the data protection legislation.

Information from Government authorities is likely to be limited
Among the key troubles for government agencies is the significant deficiency in their levels of knowledge about how highly developed money laundering is committed when the financial markets are involved. In one of the main findings in the UK’s National Risk Assessment (“NRA”) of Money Laundering and Terrorist Financing published in October 2015, HM Treasury and the Home Office conceded that there were significant intelligence gaps relative to “high-end” money laundering. This type of laundering is specifically relevant to major frauds and serious corruption, where the profits are often kept in bank accounts, residential or commercial property, or other financial investments, in lieu of in cash. The NRA judges the danger in the banking sector to be significant, since around 60% of ongoing money laundering cases being investigated by HMRC have funds initially shifted through banks. The intelligence picture in other areas, such as high value dealers, gambling, and new payment methods, was judged as being mixed.

What information is available to a MLRO?
Most likely, if a firm’s policies, controls, and procedures are to come through with flying colours, the firm’s money laundering reporting officer will have to supplement the guidance as to risk factors contained in the MLR 2017 and provided by the supervisory authorities with some comprehensive investigation of their own. The typology and sector-specific reports released by the Financial Action Task Force (FATF) are a good starting place. In addition, a money laundering reporting officer can consult the evaluations of money laundering and terrorist financing regimes run by its member countries which the FATF publishes regularly. Having said that, to meet the regulatory requirement a lot more will should be done. Money laundering reporting officers will have to digest reports prepared by, amongst other organisations, FATF-Style Regional Bodies (” FSRB’s”) and annual reports prepared by the Council of Europe’s Moneyval, mining them for information about how particular types of business might be used for money laundering and terrorist financing purposes, and which jurisdictions are considered more prone than others, concerning the integrity of the client and the nature of the business in question. The United States Central Intelligence Agency publishes a Global Factbook, and some beneficial information is available on the Anti-Money Laundering Forum operated by the International Bar Association. Furthermore, there is a significant amount of information readily obtainable on the web which money laundering reporting officers can access. For example, there are publicly available indices from HM Treasury’s Office of Financial Sanctions Implementation, Transparency International’s Corruption Perception Index, the Foreign and Commonwealth Office’s Human Rights Reports, and UK Trade and Investment’s pages on overseas country risk and quality of regulation. The MLRO or appropriate compliance team member, can review this information, digging for it for relevant material which will advise the firm’s things to consider as to whether the risk of money laundering and terrorist financing inherent in the form of work undertaken and the country with which it is associated, is low, medium, or high.

One apparent resource for a MLRO sits within the firm itself. As firms progressively more focus the delivery of their services in specialist areas, the first line of defence should be well placed to support the firm’s risk assessment.

Just as a solicitor specialising in the financing of energy transactions will understand the extent of corruption and bribery within this sector, an estate agent with a practice based in Kensington will be strongly cognisant of the risks of money laundering which purchases by Eastern European oligarchs and politically exposed persons pose. As a starting point for assessing the risks of money laundering and terrorist financing in an enterprise operating in the regulated sector, the MLRO could begin the method of risk assessment by commencing the process of self-assessment. As a practical suggestion, you could always purchase an Anti-Money Laundering & Counter Terrorist Financing Manual as provided by Compliance Consultant at http://bit.ly/IYCAML.

Assessing risk on rationally defensible criteria
Where a firm grows its risk assessment in this manner, and includes in its policies, controls and procedures provisions which detail how the risk is to become managed, the requirement in regulation 19(3)(a) of the MLR 2017 to include risk management practices will be satisfied. Interestingly, this requirement falls short of the requirement laid out in Article 8(4) of the EC Fourth Directive on Money Laundering which specifically pertains to “the development of internal policies, controls, and procedures, including model risk management practices …” Although the reference to “model” risk management practices is not something which appears in the Financial Action Task Force Revised Recommendations, larger companies operating in the regulated sector will ignore this requirement at their peril.

Reliance on qualitative proficient judgment when creating risk assessments continues to hold, but there is an inherent subjectivity within this approach and there is a danger that perhaps its thought to be self-serving if challenged by a regulator in a case where a less obvious risk of money laundering or terrorist financing was not identified. The EC Fourth Directive on Money Laundering is seeking to support firms and businesses operating in the regulated sector to apply a more sophisticated course of action, by leveraging quantitively derived models which allocate risk scores calculated by algorithms which have been developed from analysis of AML scenarios and typologies.

Management consultancies have developed a variety of model risk management practices for application in anti-money laundering and counter-terrorist financing incidents. The application of model risk management in the assessment of money laundering and terrorist financing vulnerability will also aid a firm or business in the regulated sector when seeking to display that its risk assessment policies are effective pursuant to the independent audit requirement introduced in regulation 21(c) of the MLR 2017. There is, however, an important caveat which must be borne in mind. As the Joint Money Laundering Steering Group (“JMLSG”) has cautioned, “where a firm uses automated systems purchased from an external provider to allocate overall risk scores to categories business relationships or occasional transactions, it should understand how such systems work and how it combines risk factors to achieve an overall risk score.” The JMLSG adds that “a firm must always be able to satisfy itself that the scores allocated reflect the firm’s understanding of the [money laundering and terrorist financing] risk, and it should be able to demonstrate this to the [regulator] if necessary.”
As a cheaper solution to acquiring a scoring system from an external provider, it is open to MLROs to develop their own scoring system. This would involve allocating scores to a wide range of risk factors based upon information available internally and externally such as the nature of the client, the type of transaction involved, and the geographical location in which it is taking place. As an example of the flexibility inherent in the allocation of scores, the JMLSG notes that “firms may decide that a customer’s personal links to a jurisdiction associated with higher [money laundering and terrorist financing risk] is less relevant in the light of the features of the product they seek.” [1]

Independent Compliance Assessment
It is uncertain exactly what is required of a firm or enterprise operating in the regulated sector to establish an Independent Compliance Assessment. By introducing a requirement for the Compliance Assessment to be independent, the person performing this responsibility should be unconnected with the implementation or operation of the firm’s anti-money laundering and counter-terrorist financing compliance programme. The JMLSG suggests that the task can be undertaken “by, as an example, an internal audit function (where one is established), external auditors, specialist consultants or other qualified parties”.

For all your regulatory compliance needs, including AML specialist services, go to Compliance Consultant (http://www.complianceconsultant.org), One of the UK’s Leading Consultancies. Buy their top-selling AML & CTF Policy & Manual at https://goo.gl/qLdQ39.

[1] The Joint Money Laundering Steering Group, ‘Prevention of Money Laundering/Combating Terrorist Financing: 2017 Consultation Version’ (March 2017) page 45.


Keywords: money laundering,aml,kyc,antimony,what is money laundering,money laundering regulations,money laundering regulations 2007,money laundering definition,anti money laundering regulations,money laundering act,aml checks,money laundering uk,examples of money laundering,aml kyc,aml compliance,anti money laundering checks,report money laundering,what is aml,uk money laundering regulations,joint money laundering steering group,aml regulations,money laundering process,

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.