How to do an AML Risk Assessment

Posted on by Samantha Harrison
Quick Guide AML Banner
16
Dec

This quick guide article walks you through how to do an AML risk assessment. A business-wide anti money laundering risk assessment is mandatory for firms with obligations under the Money Laundering Regulations. Below are suggested steps and formats that will result in an effective, compliant AML risk assessment.

What is an AML Risk Assessment?

Articles 18 and 18A of the Money Laundering Regulations refer to the requirement to complete anti money laundering risk assessments. They advise that “a relevant person must take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject.”

Risk assessment matrix on a table with a pen and ntoebookA ‘risk assessment’ does exactly what it says on the tin! It assesses the risks associated with any given function, compliance area or activity. Therefore, an anti money laundering risk assessment identifies and seeks to mitigate the risks associated with financial crime. This area covers activities and threats such as money laundering, tax evasion, terrorist or proliferation financing, fraud, bribery and corruption.

The main objective when considering how to do an AML risk assessment is to ensure that all relevant risks are identified. The assessment must be business-wide and cover every aspect, function and role of the company. Assessing the identifed risks comes next. Moreover, this allows each risk to be rated and prioritised. Ongoing monitoring can then be established based on controls, measures, impact and finally the likelihood of the risk occuring.

What and Who to Consider

Before starting your AML risk assessment, you need to understand who and what should be part of the process. Certain people and functions associated with a business are more at risk from financial crime than others. As a starting point you should review and consider the below when identifying your AML risks.

  • The types of customers you have.
  • Geographical location of your customers and suppliers (i.e. FATF  and UK high-risk countries).
  • Transaction types and volumes.
  • Products and services offered and/or activities undertaken.
  • Marketing channels to find customers and delivery channels for products/services.
  • Customer onboarding processes.
  • Payment processing (i.e. cash, transfers (electronic or wire) etc).
  • How funds are allocated, accepted and held.

AML Risk Assessment Stages

There is no set format for completing and documenting your business-wide AML risk assessment. However, we suggest having 6 stages in the process. These stages comply with the Money Laundering Regulation requirements. Furthermore, they adhere to the FCA and HMRC rules for completing a financial crime risk assessment. Excel is a great tool to use for this compliance task. It allows you to enter and sort large volumes of data. In addition, it is perfect for exporting that data into management information and effective reporting.

Stage 1 – Identify the Risks

As noted above, the risks associated with money laundering can come from a vast array of business areas and functions. We have covered these in more detail in our ‘AML Areas to Assess for Risk’ article. Suggested areas include your customers, suppliers, transactions, geographical location and your products and services. The identified risks must be recorded on a risk assessment template.

Risk Matrix ExampleStage 2 – Rating the Risk

Each risk needs to be assigned a rating. This allows you to prioritise controls and measures for mitigation. Furthermore, it dictates how often the risk should be monitored and reviewed. A standard risk matrix can be used to assign a risk rating to each risk. This means identifying and assessing how likely it is that the risk could happen. This is usually referred to probability or likelihood on a risk matrix. In addition, you should define the impact the risk could have or cause.

Stage 3 – Mitigation & Risk Management

Once you have identifed the risks across your business and risk rated them you need to define controls and measures for risk mitigation and management. Your aim is to have the lowest possible risk impact and probability in all areas. It is often easiest to categorise the identified risks into 3 possible outcomes.

REDUCE THE RISK – If you can implement controls or use tools to reduce the impact the risk could cause and/or the likelihood of it happening, you should do so. You will have rated your risk in the previous stage and after using controls and measures to reduce the impact and/or likeihood, you can rate the risk again.

No entry sign - red circle with thick white line though the middle.ELIMINATE THE RISK – There are 2 main reasons and ways to completely eliminate a risk. Firstly, you may have applied the above controls and systems to reduce the risk which has resulted in the risk no longer existing. Secondly, you may decide that the entity or function resulting in the risk should be removed. An example is if a product poses a high risk to customerswhich canot be reduced further. The company may not want to tolerate or accept that risk so they choose to remove the product from sale.

ACCEPT AND MANAGE THE RISK – Most anti money laundering risks can have their potential impact and probability reduce through controls, measures and systems. However, there will usually still be come element of risk for all functions and products, especially in the financial sector. At this point the risk is accepted and managed through monitoring, reviews and testing. In addition, some risks are high and the impact cannot be reduced further. However, they are a mandatory business function that cannot be eliminated. This means accepting and managing the risk through additional monitoring and human intervention.

Know Your Compliance's risk assessment template in Excel

Sample AML Risk Assessment Template in Excel

Stage 4 – Development & Implementation

Stage 4 involves actioning the controls, measures or systems suggested in the ‘reduce the risk’ outcome in stage 3. Some controls may already be in place and can be documented on the AML risk assessment template. New controls should be investigated, developed and implemented. Responsibility should be assigned to a lead for each risk or project to ensure accountabilty and deadlines.

Stage 5 – Authorisation

Clipart man standing holding a large digital green tick mark.Some risk assessment processes combine this stage into the final monitoring stage of the framework. However, it is a very important function and in many cases a mandatory one. We have therefore separated authorising and signing off on all AML risk assessment stages and outcomes into its own stage.

Dependant on your business structure, overall authorisation of the completed AML risk assessment program should come from an owner, director or senior management. They should review all stages of the assessment and sign off on the risks, ratings and mitigating controls. This is about accountability and oversight.

Stage 6 – Monitoring & Review

Most risks are ongoing and therefore require an audit and monitoring program. Risks can change over time and also with the introduction of new products or business activities. How a risk is rated can also alter, along with the controls and measures required to mitigate the impact and probability. The frequency of risk monitoring should be recorded in the AML risk assessment template and assigned based on risk rating, controls, impact severity and those vulnerable to the risks. It is also important to test the procedures and controls that are in place to ensure they continue to be effective and adequate.

AML Risk Assessment TemplateAML Risk Assessment Procedures and Excel Template

If you would prefer to buy a ready to use set of templates for completing an anti money laundering risk assessment, we have what you need. From just £15 (exc vat) our AML risk assessment template comes with a 19-page customisable procedures document, a pre-defined risk matrix and a ready to use AML risk assessment template in Excel. We have provided all stages of the AML risk assessment so that you can follow them in your business. We have also included a sample completed template to guide you.

AML Risk Template > Compare AML Toolkits > Shop All AML Products >
Samantha Harrison

Samantha Harrison is a Director at Know Your Compliance Limited, joining the company in 2018 and bringing a wealth of business management and policy development experience with her. She has run and managed her own businesses for more than 30 years and has been pivotal in developing one of the UK's leading portfolios of GDPR policy templates and checklists. Her knowledge and understanding of regulatory compliance and risk management has been invaluable in the company's growth and development.