“If you don’t invest in risk management, it doesn’t matter which business you are in, it is a risky business.” – Gary Cohn
Whilst the specific requirements have been developed and refined over the last 12 years the need for businesses in the regulated sector to separately risk assess the business, the use of technology and each individual client for the risk of money laundering or terrorist financing has been around since 2008.
It would be true though to say that the focus of the regulator up until recently has largely been on the risk assessments of customers and clients. In recent years, however, the regulator has been placing a greater emphasis on the importance of the business and technological risk assessments as evidenced by some of the more recent civil penalties.
The risk-based approach is central to the effective implementation of the AML/CFT Code. Applied appropriately businesses in the regulated sector identify, assess, and understand the money laundering and terrorist financing risks to which they are exposed, and take AML/CFT measures commensurate to those risks in order to mitigate them effectively, thereby enabling businesses to focus their resources where the risks are higher.
The development of the ML/TF risk assessment is a key starting point for the application of the risk based approach as the intensity and depth of risk mitigation measures including customer due diligence depends on the ML/TF risks faced by the business.
As with any other risk management system there are significant benefits to be gained from adopting an appropriate risk-based approach to money laundering and terrorist financing including:
- Meeting the statutory and legal obligations on the business
- To facilitate better strategic decision making which takes into account the risk of ML/TF and expected impact on compliance costs when considering new markets and product development
- Enable the business to focus their resources where the risks are higher, thereby reducing the costs of compliance
- Enable the business to take on legitimate business from the more profitable high risk jurisdictions with the appropriate controls
- Know your customer practices enable the business to understand how and why their products and services are being consumed leading to enhanced market knowledge and improved product development
- Increase the quality of business undertaken
- Reduce operational costs arising from poor quality business and therefore reduce the potential volatility of earnings
- Protect the reputation of the business and the wider Isle of Man plc
However, spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably. The risk assessments required by the AML/CFT Code should be commensurate with the nature, size and complexity of the business. This means that a simple risk assessment might be enough for smaller or less complex businesses, and that where entities are part of a group, risk assessments should take into account group-wide risk appetites and frameworks.
At Rowany Solutions we recognise and agree with FATF that tt is also important to recognise that adoption of the risk based approach can not be a “zero failure” approach; there may be occasions where a business has taken all reasonable measures to identify and mitigate AML/CFT risks, but it is still used for ML or TF purposes. In these instances it is important to be able to demonstrate compliance with the AML/CFT Code and the documentation, maintenance and review of the risk assessments are a key part of that evidence.