How to ace your business-wide financial crime risk assessment
What it is - why it’s important - how to complete one.
What are the legal requirements for business-wide risk assessments?
In the UK, regulations 18 and 18A set the requirements for all regulated firms to create a business wide risk assessment (BWRA). Here is how each of those regulations begins:
18.—(1) A relevant person must take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject. 18A.—(1) A relevant person must take appropriate steps to identify and assess the risks of proliferation financing to which its business is subject.
- The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017
The regulations go on to fill in some detail on precisely what is required.
- You must take appropriate steps to identify the AML and CTF risks in your business.
- You must take into account information from the regulator in the form of their own risk assessment.
- You must also take into account risk factors that apply to your business — specifically, those relating to:
- your customers;
- your geography;
- the particular products and services you offer;
- the types of transactions you undertake; and
- your delivery channels.
- When deciding what ‘appropriate’ means you must have regard to the size and nature of the business.
- You must maintain a written record of all the steps you take to produce the assessment.
- You must provide the assessment to the regulator on request.
Elsewhere in the EU you will find almost identical requirements. Although the UK is an outlier in requiring an assessment of proliferation financing risks, this stems from a recommendation from FATF, the international advisory body, so it is likely to be widely introduced in the future.
The business-wide risk assessment in context
Why do regulators place so much store in the BWRA?
The BWRA, if done properly, should be a comprehensive, in-depth analysis of the firm’s business model and its financial crime exposures. And, I can tell you from experiences with multiple firms, that the regulator absolutely does ask to see the assessment when it engages with a firm.
The importance of a good BWRA becomes clear once you’ve completed one. It is the centrepiece of your anti-financial crime framework, determining your customer risk rating methodology and informing how you build and configure your risk-based controls, such as transaction monitoring and customer due diligence.
Given the breadth of that impact, this is not an exercise the compliance department should complete in isolation. People who know the business – its processes, systems and challenges – should be involved at every stage.
"The best BWRAs feature cross-business collaboration."
- Ray Blake, Director at The Dark Money Files
Knowing what is required doesn’t necessarily take you far in understanding how to undertake the BWRA, however, and firms tend to approach the job with quite a wide range of methods. I’ve helped a number of firms put together or review their BWRA, and I will share here the very simple approach I tend to follow:
Structuring your assessment with 5 exam questions
My approach is centred on five questions, which if answered well will make completion of your BWRA straightforward. The questions are:
Let’s look more closely at each of them in turn:
- What might criminals want from us?
- Business model analysis
- Defining your red flags
- Describing the control set
- Evaluating the control set
Exam question 1: What might criminals want from us?
We might think instinctively that we know the answer to this question, but it’s really worth getting some people together and thinking like criminals. How would they exploit the firm for criminal purposes – to launder money or to fund proliferation or terrorism?
The answer to this question will vary a bit between firms, but you might want to start with a fairly generic list to get the discussion going. For example, the bad guys might try and use your facilities to do any or all of these things:
- introduce proceeds of crime to the financial system;
- move criminal finds across borders, having successfully placed it into the system, through us or through others;
- move criminal funds to other people;
- disguise criminal funds by moving them around, blurring the trail;
- channel funds to people secretly;
- fund terrorism, weapons proliferation or evade sanctions;
- commit predicate crimes, such as fraud;
- disguise the true ownership of money – perhaps to thwart tax or sanctions rules;
- disguise their own identity or use the documents, statements or cards we give them as supporting evidence for a fraudulent identity they will assume elsewhere; or
- disguise the ultimate destination of funds, because if they don’t it would implicate them or others criminally.
And, of course, they could be doing all of this either for themselves or on behalf of another person or entity.
Now, as I say, that’s generic and it will need you to think about exactly what a criminal might look to do in your firm. A firm specialising in asset and wealth management will have different attractions to criminals than one that provides property services. Some of those items in the list above might not be possible given your firm’s business model, but you should be as open-minded as you can at this stage.
You need to get input from as many people around the business as you can, because no one person will have a close-up view of every aspect of the business.
Exam question 2: Business model analysis
With the second question, we want to make sure we know the vulnerabilities of the business. Think about the particular vulnerabilities that are implied by...
So, how can we come to an informed view here? How do the vulnerabilities of a wealth manager differ from those of – say – a payment service provider? What additional vulnerabilities are there if you give customers an ATM card? Or if you have a large number of customers who live in the US or in Azerbaijan? If you take instructions through an app rather than face-to-face or by phone?
Fortunately, there is a great deal of freely accessible information that will help you get going.
The place to begin is with the National Risk Assessments. In the UK, there is a money laundering and terrorist financing one published regularly and this is true of most other jurisdictions, so review those where your firm has a significant presence or footprint. The UK has published its first National Risk Assessment of proliferation financing as well.
There’s the Joint Money Laundering Steering Group (JMLSG) guide, which has a section on risk assessment in Part 1, and a detailed guide into the risks of different types of financial services businesses in part 2. It’s worth a close read. The European supervisory bodies have collaborated on a similar guide of their own too.
At The Dark Money Files, we are big fans of the FCA’s Financial Crime Guide for Firms, which is shockingly underused by firms. There are also occasional ‘Dear CEO’ letters that give direction and guidance on specific threats as well as press releases which can be very informative, especially those that detail exactly how other firms might have got it wrong.
When you have answered exam question 2 you will have identified your firm’s inherent risk.
Exam question 3: Defining your 'red flags'
To get a useful set of 'red flags' that will act as triggers for your controls in due course, you should consider for each vulnerability: what could tell you that you might have this problem?
For example, let’s imagine you think you have a vulnerability to criminals because of a product risk. Let’s say that stems from you providing an ATM facility so clients can access cash remotely. You might decide that one of the red flags worth watching for is large and regular ATM cash withdrawals. If that happens in an account, it might indicate criminal use of your facilities. Equally it might not, but it’s something you would need to be sensitive to. That’s a red flag.
Let’s look at a risk that comes from the types of transactions undertaken. If you are facilitating retail point of sale payments, for instance, you might view card refunds with no purchase as a red flag.
How about a risk arising from your country exposure? Well, you might think that a red flag to watch for is when a customer funds the account from or undertakes a transaction involving a higher risk country.
When it comes to customer risk, maybe you have some Politically Exposed Persons (PEPs) on your books. You might consider a red flag around the PEP receiving funds from a payer that you haven’t previously seen.
And to complete the set, let’s think about a channel risk. If you offer a mobile app as a supplement to traditional banking activity, you might consider it a red flag when customers come to your firm for the first time through an app download and only deal with you through the app, never face-to-face.
These are just examples, and your list will have a number of different red flags for each category.
Exam question 4: Describing the control set
By now you’ve got a very clear picture of the inherent risks of your business, and what tell-tale red flags you want to monitor to identify potentially criminal activity. It’s time to consider what you can do about it.
Don’t just consider the controls you’ve already got in place – what other controls could play a role? Also, don’t stop when you identify one control; keep going and think of all the controls that might address the particular red flag, even if only partially.
Let’s look at an example. This is one of the red flag examples we saw in the third stage, and if we think about this particular risk, it becomes clear that a number of typical controls can address this at least to some extent.
Exam question 5: Evaluating the control set
In the final step, you need to come to a view on the current effectiveness of each of the controls for each red flag. You’ll have your own classification system and assessment methodology for this, but you’ll want to have that documented and you’ll want to record the evidence underlying your judgements.
It might look like this:
You’ll also need to cover any exposures where you’ve identified a control gap, where you have an unmitigated risk.
This analysis allows you to summarise where there is still risk (residual risk) and conclude on the extent to which this is aligned to your risk appetite.
What do you do now?
In answering the five exam questions you will have created a very valuable document that will inform your entire anti-financial crime framework.
But, you can’t expect that intelligence to remain fully valid forever.
You will need to take care that the assessment is revisited as a key part of your compliance monitoring programme and I’d suggest this should happen at least once a year. Additionally, you should conduct a review whenever there is a significant change in any important aspect of your business, remembering the five key headings:
If you build a good BWRA – and take care to keep it current – you will find it helps you in every part of your risk framework.
Ray Blake is...
By Ray Blake of The Dark Money Files