Writing a Risk Assessment Webinar Transcript
Hey everyone, welcome to the second webinar of a webinar series produced by the DIA AML Group. My name is Kariba and I'm a Senior Advisor in our Engagement and Innovation team within AML group. Today's webinar will be focusing on how to write a Risk Assessment, one of your obligations under the AML CFT Act. If you have any questions about writing a risk assessment or any questions about your other obligations please make sure you email us at: firstname.lastname@example.org
Let's get started.
So what is a risk assessment? A risk assessment is the first step you must take before developing your AML/CFT programme. It involves identifying and assessing the inherent risks your business reasonably expects to face from money laundering or terrorism financing.
Inherent risk means the money laundering terrorism financing risk present before you apply any controls or mitigations. Once you complete your risk assessment you can then put in place a programme that minimizes or mitigate these risks. Your programme must be based on your risk assessment.
So why do you need to conduct a risk assessment? The Global AML/CFT system is risk-based, therefore your business must also take a risk based approach. This was put into the New Zealand AML/CFT Act which states you must conduct a written risk assessment. When we say risk based approach we mean proportionate AML/CFT measures that you implement in response to identified risks. An effective risk-based approach allows you to exercise informed judgment when meeting your obligations.
Under a risk-based approach there is no such thing as zero risk. However there may be some areas of your business you consider are low-risk or you consider it is very unlikely that money-laundering/terrorism financing could occur. Your risk assessment and program should reflect a rest-based approach that allows you some flexibility in the steps you take when meeting your AML/CFT obligations.
A risk-based approach does not stop you from engaging in transactions or activities or establishing business relationships with higher risk customers. Rather it should help you to effectively manage and prioritize your response to money-laundering terrorism financing risks.
How do you write a risk assessment? There is no template for writing the risk assessment however there is plenty of guidance available on our website including the risk assessment guideline and the risk assessment and programme prompts and notes. While these are not templates they are essentially a framework which you can complete and fill out using the prompts to guide you. The Act also tells you what your risk assessment must consider these are also included in the guidelines and we will be discussing them later. You should also be aware of wider context including New Zealand's money laundering terrorism financing risk and your sector money laundering terrorism financing risks. This will involve reading the National risk assessment and your sector risk assessment.
The sector risk assessment can also work as a foundation for both structure and risk for your business to consider. As the sector risk assessment also assesses the areas which the Act requires you to consider you should be able to use this as a starting point for your own assessment. All the guidance i've mentioned is available on our website under information for businesses.
Here are some tips for writing a risk assessment.
Remember that you are assessing the inherent risk of your business. We frequently see businesses saying they're lower risk in a particular area because of their AML/CFT controls. However you should be assessing your risk before your controls are in place. Ask yourself and staff and peers "how may our business be vulnerable to money laundering or terrorism financing?" What I mean by that is before you start writing your risk assessment or before you review it, it'd be worthwhile to sit down with other staff or with peers in your industry and consider how criminals may use your business to launder their money.
In recent workshops with businesses we asked the same question and we got similar answers across all the workshops and across all the sectors in New Zealand. Some of their answers were: abuse of our trust accounts; dealing with complicated legal structures where the true beneficial owner or money could be hidden; transacting funds on behalf of clients; transactions or activities across multiple countries; connections to cash; providing assets that are attractive to criminals; non face-to-face relationships with clients; and products or services that allow clients to remain anonymous. Again these were what businesses came up with for how someone could use their business to launder money or finance terrorism. You may have come up with similar vulnerabilities or ways with which criminals may use your business. It will be important to consider these in your risk assessment. A consistent methodology that you understand is very important. There is no one-size-fits-all methodology for you to use. This means you'll be able to choose one that makes sense for you and your business.
A frequently used methodology is an assessment of the likelihood of an event and the consequence of an event. Sometimes known as threat and impact. Some businesses just choose to assess the likelihood. Whatever you choose it should be consistently used throughout your whole assessment. Your assessment of risk should be assessed objectively in light of relevant guidance material such as the sector risk assessment. For example if the sector risk assessment rates the products and services of your sector as high risk and you rate your products and services as medium risk you will need to state why.
In your analysis of risk it's important to provide context. Business data will be incredibly useful to help justify and explain your business and your analysis of risk. Again using your products and services as an example, what percentage of your business relates any particular product or service will be useful information to include in your assessment. Finally a common mistake we see is a business explaining a part of your business and then concluding with a risk rating but with no analysis. In other words they have not explained how they came to that conclusion. For example they may say they have a small business, therefore their risk rating for size and complexity is low risk but they haven't explained why a small business decreases risk or amounts to lower risk. Sometimes I explain this is similar to a maths exam. If you just state your answer to a question without showing your working out, you will not get full marks. This is similar in that you need to show your working out or how you came to your risk rating or risk conclusion.
Next we'll go over the areas that the Act states that you must consider. These areas are; the nature, size and complexity of your business; the products and services you offer; the way you deliver your products and services; the types of customers you deal with; the countries you deal with; and the institution's you deal with. Please note that the Act also states that your risk assessment must be in writing and it must identify the risks faced in the ordinary course of business and it must describe how you'll keep your risk assessment current. All these areas are what we will check when we review your documents.
Nature size and complexity. Nature relates to what business sector you're in and what services you provide. Are you a gatekeeper provision? Are you a financial institution? Is there anything about the nature of your business that may make you more vulnerable? Size and complexity. The sector risk assessment sets out what a small, medium or large business is for most sectors. For example for the legal sector it states small means 1 to 19 employees. Medium means 20 to 99 employees and large means 100 or more employees. You should ask yourself whether the size of your business could potentially mask suspicious activity, as the size of your business may play a role in how attractive it is for money laundering or terrorism financing. A large business is less likely to know its customers personally which could offer more anonymity just like complex business structure with multiple offices and subsidiaries may have the same risk. Size and complexity could also have an impact on your implementation of AML/CFT measures which could create more risk. Considering these factors is your analysis that you should include in your risk assessment or that working out that I talked about earlier. You should also add context to these areas. Business data is an important aspect of this context and helps you to provide objective reasoning for your conclusion. For example you can say in your assessment on size and complexity how many branches or subsidiaries there are to your business as well as how many employees.
Products and services. You will need to consider all the products and services you offer that are captured under the Act. For example, forming companies. Under each product and service you should consider has the product or service been identified as presenting heightened money laundering or terrorism financing risk? You may find this in the sector risk assessment or other guidance. For example, for lawyers the sector risk assessment has identified the products and services of the legal sector as high-risk. It states there are certain vulnerabilities in the purchase and sale of real estate, the formation merger and acquisition of companies, the formation of trusts, and providing trust services. If you are a law firm which offers all of these services you may conclude that your product and services risk is also high. Does it allow for anonymity or does it conceal or disguise the beneficial owner? Any product or service that allows for anonymity or helps to disguise true beneficial ownership will be attractive to criminals that will try to disguise their true identity. Does it disguise or conceal the source of wealth or funds? Similar to identity, a criminal would try to disguise the true origins of the source of their wealth or funds. Or does it allow payments to third parties? Does it commonly involve receipt or payment in cash? Cash is still a favoured method of money laundering terrorism financing for certain predicate offending. The ease of movement without audit trail makes it highly vulnerable to money laundering terrorism financing activity. Or does it allow some movement of funds across borders? We suggest giving a risk rating to all your captured products and services before giving an overall risk rating to this area of your business. Remember you are also providing context which will help you analyze and conclude on risk. For products and services you should be considering what approximate percentage of your business these products and services make up as this will help you determine the likelihood and impact of money laundering terrorism financing. For example a product and service which is attractive to criminals because it allows them anonymity and the concealment of wealth, that makes up a large portion of your business is likely to be a high-risk product or rated as "very likely" using your methodology.
Consider all the ways you deliver your products and services. By this we mean face to face, via the internet or by the phone. Under each method of delivery you should consider, does it allow for anonymity? As with products and services, anonymity is highly sought after by criminals to facilitate money laundering or terrorism financing. Does it depend on or can it involve intermediaries? The use of intermediaries may result in the customer's identity beneficial owner or effective controller not being transparent to you. Does it remove or limit face-to-face contact? Less face-to-face interaction with the customer increases the vulnerability to money laundering terrorism financing activity. Does your business use a method of delivery targeted to offshore customers or clients? Having offshore customers may expose your business to money laundering terrorism financing risks especially in connection with countries that have weak AML/CFT regimes and high levels of bribery and organized crime.
Can a third party act on behalf of the customer? Again this could result in your customer's identity beneficial owner or effective controller not being transparent. Research is giving a risk rating to all your methods of delivery before giving an overall risk rating to this area of your business. Remember you are also providing context which will help you to analyze and conclude on risk. In this case you should be considering what your most common method of delivery is and how many customers you deliver services to using that delivery method or each delivery method. Customer or client risk. For customer risk you will need to consider your whole customer or client base and if you have a large variety, group certain customer types together to consider their risks. An example of some groups may be, trusts, companies, New Zealand customers or offshore customers.
Some customer types pose a higher risk of money-laundering terrorism financing than others. Knowing your customer base and their risk will help you to know the risk of new customers when it comes to onboarding, as well as the risks of existing customers. Consider, do you have customers that are legal structures that could hide beneficial ownership? What are their risks? As I said earlier complicated legal structures could hide true beneficial ownership from you or disguise the origins of wealth. Do you have politically exposed persons as customers or 'PEPs'? PEPs can have a greater vulnerability to money laundering terrorism and financing because of the nature of the positions they hold.
Do you have overseas customers? What are their risks? We suggest giving a risk rating to all your different customer types as applicable before giving an overall risk rating to this area of your business. Remember to add context or data. In this case you should be considering your customer base and what percentage each customer type makes up. This will help you to determine where the risks lie.
You also need to consider the risks of the countries you deal with. Country risk can result from: ineffective AML/CFT measures; ineffective rule of law and economic stability; high levels of organized crime; association with terrorism financing; conflict zones and their bordering countries; production and/or transnational shipment of illicit drugs. There is guidance to help you objectively determine this such as the country risk assessment guideline. This guideline is a supervisor produced guideline and to helps you assess a country's risk. There's the Basel AML index which is an annual ranking assessing country risk regarding money-laundering terrorism financing. It focuses on AML/CFT frameworks and other related factors such as financial and public transparency and judicial strength. Knowyourcountry.com is an online resource which has country reports that give you information on certain countries. Such as whether a country is on a sanctions list. Whether they are on the FATF AML deficient list and other factors which may increase the risk of that country. FATF list of high-risk and non-cooperative jurisdictions. The Financial Action Task Force (FATF) has available on their website a list of high-risk and non-cooperative jurisdictions.
Finally you need to assess the risk of the institution's you deal with. An institution is an entity that isn't your client or customer but you have a business relationship with including those overseas. For example your businesses bank, lawyer or accountant. Some institutions present more money laundering terrorism financing risks than others. For example, unregulated businesses. You will need to consider all the institutions you deal with. If there are many, you may wish to group them and consider the risk of the group. For example, New Zealand law firms. Some things to consider when assessing institution risk are: do you deal with institutions who have been subject to legal problems or negative media; Do you deal with institutions that have been subject to regulatory actions or negative AML safety commentary; and are the institutions you deal with regulated under the AML/CFT Act? And just a note on methodology. Methodology means how you are assessing your risk. Risk can be defined in many ways and there is no one-size-fits-all model. Once you have identified the money laundering terrorism financing risk you face, you must determine the level of that risk. To do this you should consider each element of risk you have identified, your business experience in relation to that risk, information and guidance produced by the AML/CFT supervisors and the FIU, information and guidance published by international organisations such as FATF . And ways to assess the risk, include how likely an event is or how likely an event is and the consequence of that event or vulnerability, threat and impact. The DIA have given some examples of methodology in the risk assessment guideline which you can choose to use if you wish. A simple example of using likelihood to assess risk is shown on the slide. Most importantly you need to understand whatever way you choose to assess risk and you need to be able to explain it to senior management and staff.
I have an example here of all the elements discussed today. It's an example of a firm considering a particular service they offer, acting as a formation agent for trusts. They have chosen to list all their captured products and services and give each product or service its own rating before giving an overall rating to this area of their business.
"Law firm X acts as a formation agent informing approximately 50 trusts per year. Last year we formed 55 trusts. These trusts are New Zealand trusts for New Zealand resident clients. Law firm X does not form foreign trusts. Risk Factors; the service has been identified as presenting a heightened risk by AML supervisors, the FIU and by the FATF. It can be used for anonymity and to conceal and/or disguise a beneficial owner or the source of wealth or funds. Although the service is a small part of our business we consider that there is a moderate chance of money-laundering terrorism financing occurring. The sector risk assessment assesses the risk for the legal sector products and services is high. In our methodology this would mean a high chance of money laundering terrorism financing occurring. We have rated this area lower as the service we offer does not involve foreign trusts or the movement of funds across borders."
You can see that they've given context in that they've stated how many trusts they form a year and then added last year's figures to support this. They have referenced guidance material showing they objectively assessed this area of their business. They have also specifically referenced the sector risk assessments rating on products and services and justified why they have given a different rating for this area of their business. We would expect a similar analysis across all captured services provided in an overall conclusion for products and services.
Lastly it's also a requirement to review and update your risk assessment to ensure its current, identify deficiencies in its effectiveness and make changes as necessary. You may want to schedule this annually as part of your annual report process but also consider you may need to review your risk assessment as a result of a trigger event. The trigger event could be the emergence of a new technology, a new customer type, new services or products, new money laundering terrorism financing risks as determined by FATF, AML/CFT supervisors or the FIU, or updated Regulations. This process should be recorded in your AML/CFT programme. Version control of documents is useful to demonstrate that you are reviewing and updating your documents.
If you would like to be made aware of the next webinar please make sure you are subscribed to our newsletters. The next topic will be writing your AML/CFT programme. Let us know what other webinar topics you would like us to talk about by emailing us or filling out our online survey on our website under the tab AML webinars
Thank you very much for tuning in.