A survey of 1,118 anti-money laundering professionals conducted by Dow Jones Risk & Compliance and the Association of Certified Anti-Money Laundering Specialists found 62% of respondents said increased regulatory expectations represent the greatest AML compliance challenge. One problem making compliance harder is shortage of trained staff, cited by 49%; another is concern with technology, cited by 38%.
Billions of pounds of illicit funds are entering the UK, but only a very small proportion of this is being detected and investigated by the authorities, according to a report from Transparency International UK and it is widely believed that the system of anti-money laundering (AML) supervision in the UK is woefully inadequate and structurally unsound.
No matter how thorough a firm’s risk assessment is or how appropriate its controls, criminals will still succeed in exploiting it for criminal purposes. The possibility of being used to assist with money laundering and terrorist financing poses many risks including criminal and disciplinary sanctions, civil action against the firm and senior management, and damage to reputation. It is therefore important AML risks are identified, assessed and mitigated. The more a firm knows about its clients and the transactions they undertake the better placed it will be to assess its risks and spot suspicious activities.
The EU’s Fourth Money Laundering Directive (MLD IV) has placed emphasis on a ‘Risk Based’ approach to counter financial crime and terrorist financing and few would argue against this approach. It is logical, practical and appears on the face of it to be fairly straightforward. However, like many things which on the face of it seem simple, it can in fact end up being much more complex. Never truer the saying, “the devil is in the detail”.
The Risk Based approach consists of identification, assessment and management of the risks, but how it is applied will vary considerably between firms. It is probably the case that most of a firm’s clients are not money launderers or terrorist financers, but it is still important to assess the risk level across all clients and implement reasonable and considered controls to minimise these risks.
An effective, documented Risk Based approach, with Risk Based judgements on individual clients and suppliers enables a firm to justify its position in managing these risks to regulators and law enforcement bodies. At Objectivus
we recommend a staged Risk Based approach and here we look at some of the related issues and problems when putting one in place.
The first stage is to identify the risk. This, in itself, soundsrelatively easy, but all relevant risks need to be identified and that can only happen if the risk department, or group of people, whose role it is to identify risk, have the appropriate understanding of all the possible risks.
Once these risks have been identified the second stage is to rank the clients according to their individual propensity to commit money laundering. In most instances there is not an easily definable formula by which one can measure a
risk. For example, quantifying the likelihood of a client committing a financial crime or using an organisation in connection with financial crime is a difficult assessment. Several different criteria need to be assessed, such as, the number of high net worth individuals, the number of accounts from regions which are more susceptible to corruption and bribery or the number of clients who are Politically Exposed Persons.
This simple example of identifying risk uses just a few of the factors that may provide a metric for assessing the risk, though in reality it is probable that once the risks have been identified there will be a whole host of different causes of any one risk to take into account. So, what in the beginning of the process looked like a simple piece of analysis has now grown into a complicated piece of work with many intangible “best guesses”. Hardly a definitive, mathematical matrix which we risk experts so much prefer.
Having established the risks and likely causes, a model which can be numerically rated needs producing. The problem with this approach is that although the output is a numerical rating (probably on a scoring system of 1-10) the decisions taken as to what number to put against each risk is only an opinion which will certainly differ from the next person’s. In addition firm’s may not fully understand the details of the risks they are attempting to rate and therefore plumb for the mid score (a bit like carrying out an and of year HR assessment on an employee one doesn’t really know). There is also the danger that having carried out the analysis to identify the risks and causes, the overall result fails if the ranking is not completed fully and
In addition a firm should always endeavour to carry out a holistic analysis, establish what is its risk appetite and what this will mean to the firm’s business model in the future. In other words AML needs to be an integral part of the firm’s overall management and risk strategy, as it will inevitably
dictate how the firm will raise or lower its risk profile in the future.
Having identified, fully understood and ranked the risks with a simple to understand rating process the really difficult part follows, which is to prevent issues arising from these risks.
This is the third stage which involves closely looking at what processes need to put in place, these are determined by the perceived size of the risk which will be contingent on many more factors such as, where the client resides, the quantity and size of their transactions, whether the client is a Politically Exposed Person, and if a representative of the firm has met the client. Answers to these questions and many more will establish what actions need to be taken in order to prevent an AML issue arising. This analysis needs to be done on a case-by-case basis and so it can require a large workload.
Detection of AML issues requires an appropriate, timely, escalation process. This involves an appropriate level of training for staff. Proper procedures and policies need to be put in place with real-time risk assessment processes which can be adjusted to the many possible variables (for example business and client makeup, global events, issues and assessments).
Once all of the above has been implemented there will need to be continual reassessment and adjustment. A full understanding of the business strategy is necessary to be able to assess current and future impacts to enable the system to be flexible and adaptable.
As a result, whilst the Risk Based approach is logical and understandable and sounds simple, it is far from easy to implement. It requires management to make sure the staff responsible for the AML risks have a full understanding of the business and its strategy, are appropriately trained and are experienced enough to make many qualitative judgements. Such an approach also demands a high level of foresight and understanding of a firm’s global risk
position and any changes that may take place which in turn will alter that position. To enable important information to be kept up to date requires a system which is flexible and adaptable.
The good news is that if hard work is put in at the beginning of the process of implementing a tried and tested adaptable and flexible system, it will be well worth it in the end. The Board of Directors responsible for the firm will be able to sleep much more easily knowing the firm’s AML risk is being well managed.
For more information on this or other topics found in our News section, please contact us.