What is the purpose of the ML/TF Risk Assessment?
Risk management is the process of identifying risk and developing policies and processes to minimise and manage that risk. This requires the development of a framework to identify, assess, prioritise, mitigate, manage, and monitor risk exposures.
The risk management process involves assessing risks against the likelihood (or chance) of them occurring and the severity or amount of loss or damage (or impact) which may result if they do occur.
ML/FT risk is the risk that businesses or products and services may be used to facilitate money laundering (ML) or financing terrorism (FT).
It is unrealistic that an organisation would operate in a completely risk-free environment in terms of ML/FT. Therefore, we should identify the ML/FT risk we face, then assess the optimal approach to reduce and manage that risk.
1. Overview
AML Accelerate's ML/TF risk assessment methodology was developed by AML subject matter experts based on domestic and international ML/TF risk assessment methodologies, as well as industry and regulatory guidance.
The methodology also leverages international risk management standards, including ISO31000.
The methodology has been designed to enable organisations, using the AML Accelerate platform, to identify and assess ML/TF risks by responding to a series of pre-defined questions, which generate the ML/TF risk assessment for an organisation.
Once ML/TF risks have been identified and assessed, it is the responsibility of the organisation to develop, operationalise, and continually monitor mitigating systems, processes, and controls to effectively manage ML/TF risks.
These controls are set out in the AML Program and Customer Due Diligence Standards, which form part of the AML Accelerate AML Program Manual.
The methodology defines each risk dimension used in the ML/TF risk assessment. The methodology considers the following dimensions of ML/TF risk:
- Environmental Risk
- Customer Risk
- Business Risk
- Channel Risk
- Product or Service Risk
- Country Risk
2. Environmental Risk
2.1 What is Environmental Risk?
Environmental risk considers the external and internal environments that a business operates in.
The methodology facilitates an assessment of the predicate crimes, identified by international guidance, to which an organisation is vulnerable.
The ML/TF environmental risk methodology also includes the internal vulnerability of the organisation to being involved in money laundering, terrorist financing, or breaching targeted financial sanctions.
2.2 Conducting the Environmental Risk Assessment
After the Company Information has been completed the user is taken to the ML/TF Risk Assessment, starting with the Environmental Risk Assessment.
At the top of the screen, there is a navigation bar to navigate to each risk category, which must be answered sequentially before the user can proceed to the next step.
After the navigation section, there is a description of the risk factor and a series of risk indicator(s), which are essentially red flags to assist the regulated entity in assessing whether this type of risk is present.
The next section assess the inherent risk rating which is a product of both the likelihood of the particular risk occurring and the probable impact on the business where the risk to occur.
Inherent risk is sometimes referred to as "raw" risk, meaning the risk rating is based on having no treatment actions in place.
The next step is to assess the residual risk, which is based on the existence and effectiveness of mitigating controls to reduce the inherent risk.
By selecting the Add button, you will see a list of recommended controls to help reduce the inherent risk.
The intent behind these suggestions is to provide guidance on the types of risk-based systems, procedures and controls that the regulated entity should think about implementing (if they have not already).
If there are additional controls that are either present or have been designed but are not included in the Global default library, users can easily add them under 'Company Controls.' These controls will then be added in the user's organization's Control Library for future assessments.
Important: It is important to note that by selecting a suggested control, regulated entities are indicating that the control has been or will be implemented, so it is important to reflect the actual status of any controls or note the absence of these controls in the Rationale/Additional Comments field.
The library of suggested controls is displayed in a pop-up with pre-defined suggestions that can be added (or not) against the risk assessment.
Once the user clicks on Add Selected Controls, these are added to the risk assessment.
The user can decide to delete these after they have been added.
Once the controls have been added, the user needs to assess how effective each control is, and can flag any that are key controls.
To assist with assessing the rating for controls, controls testing documentation can be uploaded to and downloaded from each control.
From a controls testing methodology perspective, independent audit teams usually look at this from two perspectives, following the COSO (controls assurance) framework:
- Design effectiveness
- Present - is the control present
- Fit for purpose - is the control design appropriate for the risk it is trying to mitigate
- Operational effectiveness
- Implemented - was the control actually implemented (or was it just documented)
- Operating Effectively - is the control operating effectively in practice to mitigate the risk for which it was designed
The user can also add additional contextual information at the bottom in 'Additional information' when needed.
Additionally, you can attach supporting or relevant documentation in 'Links/Attachments' to help validate the claims you have entered on this page.
3. Customer Risk
3.1 What is Customer Risk?
ML/TF customer risk is the risk or vulnerability that customers may be involved in money laundering or terrorist financing activities. ML/TF customer risk is significantly influenced by the nature and/or attributes of a customer.
3.2 Conducting the Customer Risk Assessment
After the Environmental Risk Assessment has been completed the user is taken to the Customer Risk Assessment, which is summarised into the following 6 sections (the first 4 of which combine to derive the inherent risk):
- Customer Legal Form
- Politically Exposed Person (PEP) Risk Assessment
- Location Risk Assessment
- Business Risk Assessment
- Residual Risk Rating
- Additional Information
3.3 Residual Risk Assessment
If there are controls in place, the user needs to assess how effective each control is, and can flag any that are key controls.
To assist with assessing the rating for controls, controls testing documentation can be uploaded to and downloaded from each control.
From a controls testing methodology perspective, independent audit teams usually look at this from two perspectives, following the COSO (controls assurance) framework:
- Design effectiveness
- Present - is the control present
- Fit for purpose - is the control design appropriate for the risk it is trying to mitigate
- Operational effectiveness
- Implemented - was the control actually implemented (or was it just documented)
- Operating Effectively - is the control operating effectively in practice to mitigate the risk for which it was designed
4. Business Risk
4.1 What is Business Risk?
ML/TF business risk is the risk or vulnerability of a business operations customer’s to money laundering or terrorist financing activities. ML/TF business risk is significantly influenced by where the business operations are located, the use of third parties, and the ML/TF risks resulting from employees.
The methodology applied to assess business ML/TF risk through the AML Accelerate platform defines business risk as the combination of business operations risk and employee risk.
4.2 Conducting the Business Risk Assessment
After the Customer Risk Assessment has been completed the user is taken to the Business Risk Assessment, which is summarised into the following 5 sections (the first 3 of which combine to derive the inherent risk):
- Business Location Risk Assessment
- Outsource Risk Assessment
- Employee Risk Assessment
- Residual Risk Rating
- Additional Information
4.3 Residual Risk Assessment
If there are controls in place, the user needs to assess how effective each control is, and can flag any that are key controls.
To assist with assessing the rating for controls, controls testing documentation can be uploaded to and downloaded from each control.
From a controls testing methodology perspective, independent audit teams usually look at this from two perspectives, following the COSO (controls assurance) framework:
- Design effectiveness
- Present - is the control present
- Fit for purpose - is the control design appropriate for the risk it is trying to mitigate
- Operational effectiveness
- Implemented - was the control actually implemented (or was it just documented)
- Operating Effectively - is the control operating effectively in practice to mitigate the risk for which it was designed.
5. Channel Risk
5.1 What is Channel Risk?
ML/TF risk is significantly influenced by the nature and/or attributes of the channels used to deliver products and services to customers.
Channel risk is determined by whether the delivery of a product or service involves face to face contact with the customer, as face to face contact limits the ability for customer anonymity and facilitates establishing whether the customer is who they are claiming to be.
The use of third parties as part of the delivery chain of a product or service also creates a higher ML/TF channel risk.
The methodology applied to assess channel ML/TF risk through the AML Accelerate platform defines channel risk as the combination of third party risk and non-face to face customer engagement risk.
5.2 Conducting the Channel Risk Assessment
After the Business Risk Assessment has been completed the user is taken to the Channel Risk Assessment, which is summarised into the following 4 sections (the first 2 of which combine to derive the inherent risk):
- Non-Face to Face Risk Assessment
- Third Party Risk Assessment
- Residual Risk Rating
- Additional Information
5.3 Residual Risk Assessment
If there are controls in place, the user needs to assess how effective each control is, and can flag any that are key controls.
To assist with assessing the rating for controls, controls testing documentation can be uploaded to and downloaded from each control.
From a controls testing methodology perspective, independent audit teams usually look at this from two perspectives, following the COSO (controls assurance) framework:
- Design effectiveness
- Present - is the control present
- Fit for purpose - is the control design appropriate for the risk it is trying to mitigate
- Operational effectiveness
- Implemented - was the control actually implemented (or was it just documented)
- Operating Effectively - is the control operating effectively in practice to mitigate the risk for which it was designed
6. Product or Service Risk
6.1 What is Product or Service Risk?
ML/TF risk is significantly influenced by the nature and/or attributes of products and services.
Product or service risk is determined by whether the attributes of a product or service offer the user functionality that can be used to facilitate money laundering and/or terrorist financing.
The methodology applied to assess product ML/TF risk through the AML Accelerate platform is based on different attributes that are risk factors to whether the product or service is more vulnerable and therefore is higher risk from a money laundering and financing terrorism perspective.
6.2 Conducting the Product Risk Assessment
After the Channel Risk Assessment has been completed the user is taken to the Product Risk Assessment, which is summarised into the following 3 sections (the first section derive the inherent risk):
- Risk Assessment
- Residual Risk Rating
- Additional Information
6.3 Residual Risk Assessment
If there are controls in place, the user needs to assess how effective each control is, and can flag any that are key controls.
To assist with assessing the rating for controls, controls testing documentation can be uploaded to and downloaded from each control.
From a controls testing methodology perspective, independent audit teams usually look at this from two perspectives, following the COSO (controls assurance) framework:
- Design effectiveness
- Present - is the control present
- Fit for purpose - is the control design appropriate for the risk it is trying to mitigate
- Operational effectiveness
- Implemented - was the control actually implemented (or was it just documented)
- Operating Effectively - is the control operating effectively in practice to mitigate the risk for which it was designed
Use the Product Risk CSV Export button () to extract the questions (and answers, if exist) to collect data from relevant business units, or to share with stakeholders for review.
7. Country Risk
7.1 What is country ML/TF risk?
Country risk is the assessment of a country’s or jurisdiction’s vulnerability to money laundering,
terrorism financing, and targeted financial sanctions. A country’s ML/TF risk directly impacts the
AML program controls:
- Business operations in higher risk countries are considered to represent a higher ML/TF risk;
- Customers located in higher risk countries are considered to represent a higher ML/TF risk;
and - Enhanced Customer Due Diligence (ECDD) must be undertaken on all customers using the
business operation in higher risk countries, unless their relationship is only domestically
located in that higher risk country.
7.2 Conducting the Country Risk Assessment
After the Product Risk Assessment has been completed the user is taken to the Country Risk Assessment which is based on an assessment across a broad range of inputs.
The screenshot below shows how this page is laid out and is displayed based on the country risk footprint from the previous risk assessment steps, for example:
- Registered Office Address Location
- AML Compliance Officer Location
- Customer Location
- Business Location
- Third Party Location
The default risk rating is displayed. You are able to change the default risk rating to another rating but you will be required to provide a rationale for applying a custom risk rating.
Comments
0 comments
Please sign in to leave a comment.