The risk-based approach

The risk-based approach

Contents

Introduction

The 2007 Regulations permit a risk-based approach to compliance with Customer due diligence overview obligations.

More specifically:

  • Businesses must establish adequate and appropriate policies and procedures relating to risk assessment and management in order to prevent operations related to money laundering or terrorist financing
  • Businesses must:
    • Determine the extent of customer due diligence measures on a risk-sensitive basis depending on the type of client, business relationship, or services to be provided
    • Be able to demonstrate to their anti-money laundering supervisory authorities that the extent of customer due diligence measures is appropriate in view of the risks of money laundering and terrorist financing
  • Businesses are required to take a risk-based approach and have adequate measures to verify the identity of beneficial owners so that they are satisfied that they know who the beneficial owner is and what the control structure is in respect of a client who is other than a natural person
  • Businesses are required to undertake scrutiny of transactions and other activities throughout the course of a business relationship to ensure consistency with businesses' and individuals' knowledge of the client, his business and risk profile
  • Businesses must also keep up-to-date the information collected in applying customer due diligence measures
  • Businesses must apply customer due diligence measures at appropriate times to existing clients on a risk-sensitive basis

This approach does not apply to reporting suspicious activity, because POCA and the Terrorism Act lay down specific legal requirements not to engage in certain activities and to make reports of suspicious activities once a suspicion is held. The risk-based approach still applies to ongoing monitoring of clients and retainers which enables suspicions to be identified.

Rationale for the risk-based approach

The possibility of being used to assist with money laundering and terrorist financing poses many risks for businesses, including:

  • Criminal and disciplinary sanctions for businesses and individuals
  • Civil action against the business as a whole and individuals within it
  • Damage to reputation leading to a loss of business

These risks must be identified, assessed and mitigated, just as businesses do for all business risks that they face. If a business knows its clients well and understands their instructions thoroughly, it will be better placed to assess risks and spot suspicious activities. Applying the risk-based approach will vary between firms. While businesses can, and should, start from the premise that most of their clients are not launderers or terrorist financers, they must assess the risk level particular to their business and implement reasonable and considered controls to minimise those risks.

No matter how thorough the risk assessment or how appropriate the controls, some criminals may still succeed in exploiting a business for criminal purposes. But an effective, risk-based approach and documented, risk-based judgements on individual clients and retainers will enable a business to justify its position on managing the risk to law enforcement, courts and professional supervisors (oversight bodies).

The risk-based approach means that businesses focus their resources on the areas of greatest risk. The resulting benefits of this approach include:

  • More efficient and effective use of resources proportionate to the risks faced
  • Minimising compliance costs and burdens on clients
  • Greater flexibility to respond to emerging risks as laundering and terrorist financing methods change

Developing a risk-based approach

All businesses must have appropriate policies and procedures for assessment and management of the risk of the business being used for money laundering, of failing to recognise it where it occurs and report it when required.

Businesses are likely to already have in place policies and procedures to minimise professional, client and legal risk. Businesses can extend their existing risk management systems to address anti-money laundering and counter terrorist financing risks. The detail and sophistication of these systems will depend on the business's size and the complexity of the business it undertakes. Ways of incorporating the risk assessment of clients, business relationships and transactions into the overall risk assessment will be governed by the size of the business and how regularly compliance staff and senior management are involved in day-to-day activities.

Issues which may be covered in a risk assessment system include:

  • The business's current risk profile
  • How anti-money laundering/counter terrorist financing risks will be assessed, and processes for re-assessment and updating of the business's risk profile
  • Internal controls to be implemented to mitigate the risks
  • Which personnel have authority to make risk-based decisions on compliance on individual files
  • How compliance will be monitored and effectiveness of internal controls will be reviewed

Senior management engagement and commitment is needed to produce and embed a successful risk-based approach, and it also needs effective communication to all staff members who need to use it.

In developing a risk-based approach, businesses need to ensure it is readily comprehensible and easy to use for all relevant staff. In cases of doubt or complexity, businesses may wish to consider putting in place procedures where queries may be referred to a senior and experienced person, e.g. the MLRO for a risk-based decision which may vary from standard procedures.

Applying a risk-based approach

The risk profile of a business depends on its size, type of clients, and the practice/service areas it engages in.

Businesses should consider the following factors:

Client demographic

A business's client demographic can affect the risk of money laundering or terrorist financing.

Factors which may vary the risk level include whether a business:

  • Has a high turnover of clients or a stable existing client base
  • Acts for politically exposed persons (Enhanced due diligence)
  • Acts for clients without meeting them
  • Operates in locations with high levels of acquisitive crime or for clients who have convictions for acquisitive crimes, which increases the likelihood the client may possess criminal property
  • Acts for clients affiliated to countries with high levels of corruption or where terrorist organisations operate
  • Acts for entities that have a complex ownership structure
  • Is easily able to obtain details of beneficial owners of its clients or not

Service and practice areas

Some service and practice areas could provide opportunities to facilitate money laundering or terrorist financing. For example:

  • Complicated financial or property transactions
  • Providing assistance in setting up trusts or company structures, which could be used to obscure ownership of property
  • Payments that are made to or received from third parties
  • Payments made by cash
  • Transactions with a cross-border element

Individual risk

Businesses should determine the risks posed by a specific client or retainer. This may involve considering whether:

  • The client is within a high risk category
  • The business can be easily satisfied the CDD material for the client is reliable and allows the business to identify the client and verify that identity
  • The business can be satisfied it understands the client's control and ownership structure
  • The transaction involves a service or practice area at higher risk of laundering or terrorist financing
  • There are any aspects of the particular retainer which would increase or decrease the risks

Businesses can decide for themselves how to carry out their risk assessment, which may be simple or sophisticated depending on the nature of their business. Where, for example, the business is simple, involving few service lines, with most clients falling into similar categories, a simple approach may be appropriate for most clients, with the focus being on those clients that fall outside the norm.

Or businesses may assess the money laundering risks of:

  • Different products and services
  • Client types and sectors
  • The jurisdictions of client origin, funding, investment and conduct of business

and apply a simple risk categorisation of low/normal/high on the basis of these categories. Such an approach is valid, and should be capable of minimising complexity, but needs to retain an element of discretion and flexibility where risk ratings may be raised or lowered with appropriate management input in response to particular or exceptional circumstances.

This categorisation can then be incorporated into client acceptance procedures, and as step 1 of the customer due diligence process, allows a money laundering risk level to be assigned to ensure appropriate, but not excessive, customer due diligence work is carried out.

This helps businesses to adjust their internal controls to the appropriate level of risk presented by the individual client or the particular retainer. Different aspects of the business's CDD controls will meet the different risks posed:

  • If it is satisfied that it has verified the client's identity, but the retainer is high risk, the business may require relevant staff to monitor the transaction more closely, rather than seek further verification of identity
  • If it has concerns about verifying a client's identity, but the retainer is low risk, the business may expend greater resources on verification and monitor the transaction in the normal way

Managing and monitoring compliance

Businesses are required to monitor and manage their compliance with and internal communication of their policies and procedures and this includes their systems for risk assessment and management, as well as their other anti-money laundering policies and procedures. All such systems should be managed through monitoring the operation of the controls, updating them where necessary and assessing whether they have been effective.

Risk assessment is an ongoing process both for businesses generally and for each client, business relationship and retainer. It is the overall information held by a business gathered while acting for the client that will inform the risk assessment process. For example, businesses may, during the course of a transaction or business relationship, become aware of activity in the client's business which they perceive as likely, by its nature, to be related to money laundering or terrorist financing (in particular, complex or unusually large transactions and all unusual patterns of transactions which have no apparent economic or visible lawful purpose). In those circumstances, businesses have a duty to pay special attention to such an activity.

It is important, therefore, for any approach adopted to incorporate provisions for raising the risk rating from low or normal to high if any information comes to light in conducting the customer due diligence or subsequently that causes concern or suspicion.

In all cases, even where clients qualify for Simplified due diligence under the terms of the 2007 Regulations, or where they are considered low risk for other reasons, to assist in effective ongoing monitoring businesses should gather knowledge about the client to allow understanding of:

  • Who the client is
  • Where required, who owns it (including ultimate beneficial owners)
  • Who controls it
  • The purpose and intended nature of the business relationship
  • The nature of the client
  • The client's source of funds
  • The client's business and economic purpose