The critical role of a firm’s AML risk assessment framework

They outline that risk assessment should be seen as the most critical component of a firm’s AML/CFT framework and one that can help protect it from potential financial, reputational and operational harm, they write.

Over the last decade, there has been an increased focus by firms on strengthening their Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) frameworks, largely due to the fast-paced changes to Anti-Money Laundering (AML) regulation and the legislation both at an Irish, European and global level.

The recurring theme in recent Central Bank of Ireland (CBI) publications (specifically Anti-Money Laundering Bulletins and Dear CEO letters) is that their supervisory engagement has ‘identified failings by firms in the design and implementation of their AML/CFT/FS Business Risk Assessment’.

The recent CBI sanction on Danske Bank A/S (€1.82m) reiterated the need for robust and effective AML governance and risk management frameworks that are ‘risk-based, proportionate and informed by firms’ business risk assessment of their ML and TF risk exposure’. Similar weaknesses arose in the UK through the Financial Conduct Authority’s (FCA) sanctions imposed on Ghana International Bank Plc (GBP£5.8m) and TJM Partnership (GBP £2m) last year.

The reality is that, across the financial services sector, many firms struggle to design and implement an effective AML Business Risk Assessment framework (AML RA) that reflects their business model and associated AML risks.

The benefits of a robust AML RA

When conducted appropriately, the AML RA greatly benefits the Board of Directors (Board) and senior management to ensure that they are proactively managing and protecting their business from avoidable financial losses. A sound AML RA provides valuable information to establish and monitor a firm’s AML/ CFT risk appetite and enables the application of a risk-based approach to implement adequate AML/CFT controls and resources. This will ensure that inefficiencies in having excessive controls for lower-risk scenarios are identified and shifted to ensure stronger controls are implemented for areas with heightened risk. A robust AML RA will also be key to understanding which customers and business activities are most vulnerable to ML/TF. More importantly, it will allow firms to implement action plans that are commensurate with the risk of ML/TF. The credible threat of enforcement from regulators is another key driver for firms to invest time and resources into getting their AML RA right. There are several components to consider, to ensure your AML RA not only stands up to regulatory scrutiny but also protects your business from ML/TF infiltration.

Defining the AML RA and methodology

In recent years, the CBI AML Bulletins highlighted weaknesses in firms’ design and implementation of their AML RA. In particular, the CBI stated that firms’ procedures do not sufficiently document the approach and methodology employed to complete their AML RA. Firms operating as part of a group structure and adhering to group processes to conduct the AML RA did not demonstrate that the AML RA and associated procedures were tailored to local customers, business activities and the Criminal Justice Act (Money Laundering and Terrorist Financing) Act CJA 2010 (CJA 2010) and were subject to approval and oversight locally.

Therefore, firms should ensure that AML procedures outlining the end-to- end process for completing the AML RA are in place and updated regularly. The procedures should clearly outline the approval and data quality review processes, and business units responsible for preparing and reviewing the AML RA. Any automated processes/algorithms used to calculate ratings should be documented and understood by those responsible for undertaking the AML RA.

(a) Identifying and designing the inherent risk

At the outset of the process, firms should consider and have a detailed understanding of the inherent ML/TF sector specific risks to which they are exposed. A RA likely to meet regulatory expectations, will not only clearly align with sector specific risks highlighted in the National Risk Assessment (NRA) and other regulatory guidance (e.g. European Supervisory Authorities ML/TF Risk Factor Guidelines), but will articulate unique risks pertaining to an individual firm’s business model and strategy. In instances where there is a divergence in the inherent risk ratings within a firms RA compared to the NRA, firms should include documented rationale supporting that rating. At a minimum, a sound assessment of inherent risk will incorporate consideration and assessment of the customer, product/service, distribution/ delivery channel, geography, nature, scale and complexity and transaction risk.

(b) Defining the AML/CFT control environment

The AML RA should include clear details of robust AML/CFT systems and controls implemented to mitigate the inherent risks identified. Measures employed to mitigate the risk should be proportionate to the nature, scale and complexity of a firm’s customers and business activities. Including qualitative and quantitative information to support specific areas of the AML/ CFT framework, including Governance & Oversight, ML/TF Risk Assessment (Business Risk & Customer Risk), Customer Due Diligence, Ongoing Monitoring, Transaction Monitoring, Politically Exposed Persons (PEP) & Financial Sanctions Screening and Suspicious Transaction Reporting will be a key component.

A RA likely to meet regulatory expectations, will not only clearly align with sector specific risks highlighted in the National Risk Assessment (NRA) and other regulatory guidance (e.g. European Supervisory Authorities ML/TF Risk Factor Guidelines), but will articulate unique risks pertaining to an individual firm’s business model and strategy.

Kian Caulwell Partner, Head of Financial Services Consulting

A key area for improvement highlighted by the CBI in the past is firms needing to have processes in place to measure the effectiveness of the controls. Therefore, there must be a process in place, including ongoing evaluation, monitoring & testing, to evaluate the effectiveness of the controls, that is subject to independent challenge and oversight. An AML RA that includes qualitative and quantitative detail on the effectiveness of the AML/ CFT controls, supported by appropriate rationale, will enable firms to manage their ML/TF risk exposure effectively.

(c) Identifying and defining the overall residual risk

Once both the inherent risks have been identified and the effectiveness of the internal control environment has been considered and evaluated, the overall residual risk can be applied. It is determined by balancing the level of inherent risk with the overall strength of the controls. Again, any divergence in a firm’s overall residual risk rating,

compared to sector-specific ratings in the NRA or equivalent, should be considered and include a detailed rationale supporting the variance.

(d) Governance and oversight

The governance arrangements surrounding the AML RA are another crucial element to managing ML/TF risk effectively. Elements of proper governance arrangements key to the process include:

• An effective Board that can demonstrate oversight, review, challenge and discussion of the AML RA;
• An appropriately qualified Money Laundering Reporting Officer or equivalent10 providing AML RA information to the Board in a timely, complete and accurate manner to enable informed decision-making;
• An effective three lines of defence that undertakes:
  • Adequate and ongoing assurance testing of risk management and controls, the results of which should be clearly embedded in the AML RA;
  • Appropriate calibration testing of technological solutions/FinTech used to perform AML/CFT activities (e.g. CDD, transaction monitoring) to ensure they continue to be effective.

With robust governance arrangements in place, Boards and senior management will have sufficient visibility to drive remediation and strengthen ineffective or weak aspects of the AML RA, which will be key to improving the residual risk in the following review period.

(e) Frequency of assessment and approval

The expectation from regulators generally is that the AML RA is performed annually or more frequently where a new ML/TF risk has emerged, or an existing one has increased. The ML/TF guidance by National and international authorities and watchdogs11 is ever-changing. With that, there is a further expectation for firms to demonstrate their AML RA is constantly evolving and their ML/TF risk exposure is critically benchmarked against new guidance and emerging ML/TF threats. Firms must also ensure that appropriate evidence is retained of senior management approval of the AML RA required under Section 30A(5) of the CJA 2010.

Conclusion

Firms must ensure that their frameworks continually monitor the evolving ML/TF risks, which may be detrimental to their business. The effectiveness will be largely dependent on oversight and review of both the AML RA itself and the process to complete it. Reviews and assurance of the AML RA, independent of the business and performed on a periodic basis, will ensure advice is available to protect your firm, as financial crime continues to reach new levels of sophistication.

Based on recent guidelines and publications that focus on the application of a risk-based approach to ML/TF generally, firms should expect the AML RA to be front and centre in any AML/ CFT engagement with the CBI. The AML RA should be viewed as the most critical component of a firm’s overall AML/CFT framework, but also to protect your firm from potential financial, reputational and operational harm.

Kian Caulwell is partner and Head of Financial Advisory Consulting and Cara Hyland is Head of AML Advisory at Mazars.

This article first appeared in the Finance Dublin Yearbook 2023.