Welcome to our Knowledge Base
< All Topics
Print

How to Conduct an AML Business Risk Assessment!

An AML Business Risk Assessment is the first step a reporting entity must complete when developing an AML/CFT compliance framework. The AML Business Risk Assessment identifies those areas across business operations that increase vulnerability to unwittingly facilitating money laundering or terrorism financing. Before commencing an AML audit, your business should review your AML/CFT risk assessment and ensure it remains current.  Determinations of it being current should be measured against the business environment and relevant regulations and AML/CFT Supervisor guidelines.

AML risk assessment

AML Business Risk Assessments: Legal Requirements

Section 58 of the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 sets out the minimum requirements a reporting entity must apply when undertaking an AML business risk assessment.

Section 59 sets out that the AML business risk assessment must be reviewed to meet the following:

(a) ensure that the risk assessment and AML/CFT programme are up to date; and

(b) identify any deficiencies in the effectiveness of the risk assessment and the AML/CFT programme; and

(c) make any changes to the risk assessment or AML/CFT programme identified as necessary under paragraph (b).

How often should the AML business risk assessment be reviewed?

The AML/CFT laws and Guidelines do not stipulate a minimum review period for AML/CFT risk assessments. However, the AML/CFT Act requires the risk assessment to be kept up-to-date.  The best practice is to conduct a review of the AML/CFT risk assessment at least on an annual basis.

When there have been material changes to business operations or AML/CFT regulations, the risk assessment is required to reflect these changes and show how the changes impact the AML/CFT programme. 

After conducting a review and determining no changes are needed, the document management table should show that a review was carried out and no updates were required.  

AML risk assessment

Avoid a Tick-Box Approach

As the legislation is focused on the risk-based approach, the law is not prescriptive in how the analysis should be conducted. However, AML Supervisors have issued Guidelines to assist businesses when conducting AML/CFT risk analysis.

The most important aspect is that the risk assessment provides an effective outcome explaining the ML/FT risks that a business must manage.

What is commonly referred to as a ‘tick box approach’ to risk analysis will not meet regulatory requirements. Templates can be used but must be customised to the reporting entity’s nature, size and complexity.

Minimum Criteria of an AML business risk assessment

Section 58 sets out that an AML business risk assessment must have regard to the following:

(a) the nature, size, and complexity of its business; and

(b) the products and services it offers; and

(c) the methods by which it delivers products and services to its customers; and

(d) the types of customers it deals with; and

(e) the countries it deals with; and

(f) the institutions it deals with; and

(g) any applicable guidance material produced by AML/CFT supervisors or the Commissioner relating to risk assessments; and

(h) any other factors that may be provided for in regulations.

AML business risk assessment

Common Errors

Below is a list of common errors that AML auditors identify with AML risk assessments:

  1. No document management table. A document management table should be provided at the front of the risk assessment. This table should show (a) the version number of the risk report, (b) when the assessment was updated, (c) who conducted the review, (d) the name of personnel that signed off the review, and (3) what changes (if any) were made.  Changes can be shown as bullet points or a brief description. A document management table is an easy way to manage and maintain records.
  2. Lack of detail from the sector and national risk assessments.  The sector and national risk assessments contain vital information for reporting entities to incorporate into their AML/CFT risk assessments.  These documents refer to the types of customers, products and services, and typologies for committing money laundering or terrorism financing. AML/CFT Supervisors and auditors expect AML risk assessments to include narrations of the areas within the sector and national risk reports that impact the business. Including a link to a sector or national risk report is not sufficient. 
  3. Keeping the risk assessment up-to-date. AML/CFT laws require the risk assessment to be kept up-to-date and for the risk assessment to outline how the business will ensure this is met. Don’t forget to include how your company ensures the risk assessment remains current.
  4. Lack of Detail. Section 58 sets out the minimum criteria to be analysed. Ensure your business includes narration for each aspect in section 58. You will find the requirements of Section 58 at the beginning of this article.
  5. Inadequate risk methodology.  The application of a risk management process must be adequate and effective. Risk management itself is a disciplined exercise, and it requires subject matter expertise. The risk assessment document should explain how the assessment outcome was obtained. AML auditors and AML supervisors will examine whether the approach satisfactorily meets regulatory requirements. Validation of the risk assessment process is critical to meeting obligations.
Table of Contents