The five steps to performing an AML risk assessment
While completing an AML risk assessment is necessary to comply with regulations, understanding the risk level of each client and transaction also protects your business and your reputation. Below are five steps to follow to ensure compliance and protection.
1. Document key risk indicators
The first step for conducting an AML risk assessment is to create the appropriate documentation regarding key risk indicators (KRIs) and, in turn, how they relate to your business. This documentation will outline the support for the risk analysis. Remember – document everything, including your thought processes. As information changes and evolves, it helps to have everything cataloged to be sure your processes stay up-to-date and relevant.
Common categories of KRIs that should be documented include:
Clients/Customers/Business entities:Which type of individuals do you do business with? Are they who they say they are? Some will have a higher risk, such as:
- Politically Exposed Persons (PEPs)
- Non-Resident Aliens
- Professional Service Providers
Be sure to complete a sanction screening to confirm that any individual you are working with is not on any sanction lists. And remember, doing business with PEPs is not necessarily banned, it is simply deemed high risk.
Meanwhile, if your client is a business entity, ask yourself who ultimately controls or benefits from their activities? Be sure to cross-reference any information on file with records kept at the company’s house and other beneficial ownership registers.
Products/Services:It’s important to understand and analyze the risks associated with the products and services you offer. For example, the following comes with higher risk:
- Remote deposits
- Probate services
- Gambling services
- Cryptocurrency services
- ATM and cash services
- Foreign correspondent accounts
- Loan portfolios
- Online account opening and access
- Tax advice
When providing a higher-risk service, keep a lookout for any red flags associated with your customer’s behavior. For example, ask yourself: Are the services they require consistent with their business rationale?
Delivery channels:It’s a good idea to remember that some delivery channels can increase money laundering risk, especially if they can disguise the true identity of the client’s activity. Remember to consider whether the service/product will be delivered in person or remotely or provided directly or via an intermediary.
Geographic location:A core component of any AML risk assessment is identifying the geographic locations that pose a higher risk. For example, do you operate in an area where there are higher rates of drug trafficking? To be thorough, confirm geographic risk through a list from the FATF or other such organizations.
And don’t forget, your customer doesn’t need to be in a foreign land to set off a red flag. If they are in a different city or province, enquire as to why they are coming to you instead of seeking a similar service closer to them, geographically.
Transactions:Naturally, an AML risk assessment will involve the evaluation of the type of transactions your business engages in. For example, how does the number of international wire transfers compare to domestic ones? Or what is the volume of loan transactions and private ATM customers?
2. Employ dedicated staff
No matter the size of your organization, ensuring adequate staff is employed to dedicate time to compliance is essential when conducting your AML risk assessment.
3. Identify the inherent risk
Inherent risk represents the exposure your business will have to money laundering risk should you not put any processes in place to mitigate them. This step of identifying the inherent risk builds upon your documentation process in step one.
Once you have identified the inherent risks to your organization, you need to implement controls to reduce them. These can be broken down simply into three categories: weak, adequate and strong.
4. Determine the residual risk
Once you have identified the inherent risk to your organization and, in turn, the effectiveness of the internal control environment you have in place, you can move on to determining the residual risk. This category of risk is defined as the risk that remains once controls have been put in place to mitigate the inherent risk. In other words, what gaps in your controls are present that could enable money laundering?
5. Rate the risk
Best practice involves applying a three-tier rating scale to assess the risk of money laundering or terrorism funding occurring, identified as high risk, moderate risk or low risk. Should the risk be rated high, your mitigation efforts are not effective enough and additional risk management measures should be implemented immediately. Ultimately, the strength of your controls can help determine the risk score. For example, when there are adequate controls in place, risk ratings might reduce from a three to a two.
Furthermore, best practice dictates one assess the risk at all levels of AML-regulated business. This means that a risk assessment should be conducted at the following levels:
- The transaction level (by whomever is dealing with the transaction)
- The customer/client level (by whomever is dealing with the customer)
- The business level (by the appropriate individual in senior management/legal/compliance)
Finally, when appropriate, it never hurts to go one step further and perform a risk assessment at the sectoral level, the national level and the international level.
Cultivate a culture of compliance
Remember, the AML risk assessment process is an ongoing one. By cultivating a culture of compliance and conducting regular audits of your processes, you can be sure your organization remains aligned with regulatory changes and minimizes the likelihood of risk affecting your business and reputation.
How can you elevate your AML risk assessment?
Unfortunately, despite the risk assessments, controls and strict processes we implement, financial fraud is evolving faster than ever. In fact, in 2022, financial services businesses saw a 79% increasein document fraud compared to the previous year. Given the state of the current economic climate, this situation isn’t predicted to settle anytime soon.
Therefore, in an environment so fraught with fraud, going beyond the regulated assessment requirements is recommended. As we have discussed in previous blogs dedicated to KYC compliance, embracing a digital transformation strategy is a must. What this means is balancing your obligations to AML assessments and compliance with innovative, digital identity verification that can help protect your business against the latest sophisticated fraud trends without impacting the customer experience.
In fact, by enhancing your approach to AML (and KYC) compliance with comprehensive online capabilities like digital identity verification pre-AML risk assessment, you will not only better mitigate sophisticated fraud attacks, such as synthetic identities, but also provide an even more seamless customer experience from the very first touchpoint – account creation.
Want to discover how you can go beyond best practices for conducting your AML risk assessment with digital identity verification? Contact us today.
