All UK businesses have a responsibility to prevent money laundering and other forms of financial crime.
Risk assessments are a key component of any firm's anti-money laundering (AML) tool kit, and can help businesses to measure the likelihood that they will inadvertently support or engage in criminal behaviour.
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) made it a legal requirement for UK businesses in the regulated sector to adopt a risk based approach to their anti-money laundering efforts. This not only helps reduce the damage done by money laundering to the UK economy but gives companies flexibility in how they design and deploy their anti-money laundering procedures; as such risk assessments can vary between companies and sectors.
This guide explains what risk assessments are, and how any business can apply them to combat money laundering while meeting their regulatory compliance obligations.
What is an AML Risk Assessment?
A money laundering risk assessment is a process that analyses a business's risk of exposure to financial crime. The process aims to identify which aspects of the business put it at risk of exposure to money laundering or terrorist financing. It achieves this by monitoring and assessing known vulnerabilities, also commonly referred to as Key Risk Indicators (KRIs).
Anti-money laundering risk assessments form part of the required risk based approach. They should form part of, and tie into, a company’s overarching strategy to avoid facilitating the laundering of illicit funds.
There are two types of risk assessments required as part of a risk based approach. These are a companywide risk assessment and risk assessments of individual transactions.
A company-wide risk assessment is a floor to ceiling review of a business to identify what external risks of money laundering they face and where in their business is at risk of being exploited by criminals seeking to launder illicit funds. Once this is done it is used as the foundation for a company to design their risk assessment and anti-money laundering processes.
After identifying and highlighting the money laundering risks their company is facing, directors then must design an appropriate risk assessment procedure to ensure they identify any potential transaction that is part of a money laundering scheme.
Why are AML Risk Assessments Required
Certain businesses are required to conduct anti-money laundering risk assessments under Regulation 18 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).
On a practical level, a risk assessment could help a business to:
- use a risk-based approach to identifying and preventing money laundering.
- understand the risks associated with various business relationships and commercial activities.
- create policies, procedures, and controls that actively reduce the risk of financial crime.
- make more informed decisions about employees and clients.
- identify transactions and relationships that involve an at-risk or sanctioned country.
- Evaluate risk reduction measures.
Ultimately, an AML checks risk assessment can help businesses to reduce the risk of money laundering and terrorist financing. These measures are an essential part of any anti-money laundering compliance program, and can help organisations to stay on the right side of the law
Money Laundering Risk Indicators
Businesses can conduct a money laundering risk assessment by monitoring key risk indicators. International authorities generally apply five primary categories of risk indicator that businesses should assess:
- The size, nature, and complexity of a business.
- The type of customer involved (e.g. B2B or B2C).
- The types of products and services involved in a transaction.
- The methods used to onboard new customers and communicate with existing ones.
- Geographical factors
By assessing these individual factors, businesses can allocate a risk rating to a transaction or customer relationship. Ratings of low, medium, and high can be used when applying a simple risk range, whereas more advanced risk ranges extend to very low and very high ratings.
How to do a Company-wide risk assessment
The first step of this assessment is for directors and employees to work together to identify how their business could be used to facilitate money laundering and how likely this is to happen. It is important to note that UK regulation requires that staff have sufficient training to be able to spot these risks. There is no set way that this assessment has to be carried out but it must review every aspect of the business. Once this has been done sufficient procedures should be designed and put in place to negate these risks.
It important that this process be well documented; as a company may be asked to prove it is compliant with UK anti-money laundering regulations, especially if it has been implicated in a money laundering scheme.
Things to consider in a companywide risk assessment are:
- The risks posed to their industry
- The risks posed by their business structure
- The risks posed by their products and/or services
- The risks posed by their business processes
- The risks posed by the geographical areas they operate in
- The risks posed by their distribution and payment channels. E.g. cash over the counter, bank transfers etc
- The risks posed by their customer base
This process should be reviewed every 12 to 18 months, or if a business undergoes any significant changes, and any necessary changes to internal procedures made.
How to perform an Anti-Money Laundering risk assessment
An anti-money laundering risk assessment’s purpose is to gauge if a transaction, and any individual involved in it, is possibly involved in money laundering and if any anti-money laundering checks need to be carried out or even if the transaction should not be performed at all.
The companywide risk assessment will have highlighted the greatest areas of risk and in these cases thorough anti-money laundering checks should be performed as a matter of course. Risk assessments should still be applied to transactions that were decided to be low risk in the companywide risk assessment.
A risk assessment is largely based on intuition and knowledge of how criminals exploit the private sector to launder money as well as proscribed business processes. It is therefore imperative, and a company’s responsibility, that the staff performing these assessments have the adequate training and tools to perform them.
There are some general key risk drivers that should be considered in each risk assessment:
- Clients seeking undue anonymity or secrecy and not willingly revealing their identity
- Clients acting through a third party
- A third party not being transparent about who they are acting on behalf of or who the ultimate beneficiary is
- Clients introduced to you by a third party, as you do not know the due diligence that has taken place
- Clients you have not obtained via the methods usual to the business
- Clients involved with cash based businesses
- Clients from abroad, especially from countries with low regulatory standards, high corruption or sanctions
- Clients from outside the usual customer base
- Clients involved in emerging sectors or who’s business has recently pivoted
- Clients with, or operating for an individual with, high net worth
- Clients wanting to deal in cash
- Clients with a criminal history
- Politically exposed clients
- Large transactions
- One off transactions
If the risk assessment finds any of these key risk drivers, any other risk drivers specific to a business as found in its companywide risk assessment or has any concerns then the company’s anti-money laundering check procedures should be followed.
Regardless of whether a risk is found or not, the findings of and methods applied in the risk assessment should be recorded.
Assessing High-Risk Activities
Businesses must pay particular attention to any high-risk activities when conducting a risk assessment. Each year, the UK government publishes a National Risk Assessment (NRA) that outlines the latest trends in money laundering and terrorist financing. This can help when prioritising certain activities as part of a risk-based approach to compliance.
In the UK's 2020 NRA, the following activities were identified as high-risk:
- conveyancing
- client account services
- trust and company formation
- financial technology services
- cash-related services
- the use of crypto assets and virtual money
Businesses should carefully consider whether their compliance framework does enough to identify and address these risks.
At the same time, organisations must pay close attention to the warning signs of money laundering and adjust their policies, controls, and procedures accordingly. This is especially true when dealing with customers and transactions that involve jurisdictions classified as high-risk by the Financial Action Task Force (FATF).
Risk Assessment during Customer Onboarding
A risk assessment can form a substantial part of the customer onboarding process. This opportunity should be used to conduct thorough due diligence before forming closer ties with an individual or organisation.
As part of an onboarding risk assessment, customers should be vetted for money laundering and terrorist financing risk factors. This process should include screening for adverse media, sanctions, and politically exposed persons (PEPs).
In addition to the above, businesses ought to be cautious when dealing with customers that perform actions that are at odds with their profile. This might happen if a customer suddenly attempts to enter into a high-value transaction, pay via a previously unrelated entity, or engage in a transaction that makes no commercial sense.
If a risk assessment flags any of these factors it may be necessary to ask further questions of a potential customer, or even to file a suspicious activity report (SAR).
Improve Your Approach to Risk Assessments with Red Flag Alert
Risk assessments are essential for businesses that need to comply with anti-money laundering regulations. Not only can they help to protect the economy from the threat of financial crime, but they can also prevent financial and reputational damage to the organisations involved.
Red Flag Alert can improve your risk assessment process by providing your business with fast access to reliable data on over 6.5 million businesses. With over 100,000 updates every day, users can trust this data to vet potential customers and verify any claims they make. Credit check any company and conduct AML checks efficiently with one easy-to-use platform.
To discuss how Red Flag Alert can help to streamline your approach to risk assessments, get a free trial today
or see our guide on how to perform an AML risk assessment.