QUESTION
We know that you conduct anti-money laundering tests. But we have been told that you also conduct anti-money laundering risk assessments. What is an anti-money laundering risk assessment?
ANSWER
The anti-money laundering (AML) risk assessment is central to AML compliance. Even if a company has established the "four pillars" – an AML program, an AML compliance manager, AML training, and AML testing – it should still conduct an AML risk assessment. Implementing the four pillars is the minimum expectation. The risk assessment goes beyond the minimum by determining the risk of potential abuse for money laundering, terrorist financing, or other criminal activity.
The AML risk assessment focuses on risks presented to the organization’s products and services. It also considers where the customer base and organization are located. The risk assessment should surely review the business channels that originate and/or manage a company’s products and services. [FFIEC Exam Manual, 22, Note 10]
This type of review develops a risk profile, which is one of several tools used in developing appropriate methods to mitigate the risks of potential abuse. The risk assessment’s findings are used to independently verify and validate a company’s AML compliance in anticipation of regulatory scrutiny and banking examinations. The auditor should be independent and provide findings that a regulator can review during an examination. [FFIEC Exam Manual, 23, Note 10]
Without an AML risk assessment, a company may not be able to adequately and effectively develop the infrastructure needed to prevent the risks of money laundering and other suspicious financial activity. Indeed, an AML risk assessment should produce or inform the AML program, not the other way around. Put otherwise, as a consequence of an AML risk assessment, a financial institution can develop an AML program containing the necessary strategies to mitigate identified risks and develop procedures in its overall AML compliance, further drawing on and using applicable resources more efficiently.
Importantly, the AML risk assessment is the single most important tool for a company in building and maintaining AML compliance. The exercise of conducting the risk assessment compels the organization to catalogue and risk rate all of its products and services, give consideration to certain risk features of its customer base, and determine the risks associated with the markets in which the company does business – all done to determine how vulnerable it may be to potential abuse by money launderers and others involved in financial crimes.
Once the AML risk assessment is completed, the financial institution should focus on the ways and means available to mitigate the identified risks, including periodic audits and review of internal controls.
Jonathan Foxx
Managing Director
Lenders Compliance Group