Risk Assessment AML

From risk to compliance: the five steps to performing an AML risk assessment



In our ever-evolving digital world, technology has changed the way that we make payments, as well as our ability to send money at any time, anywhere in the world.  It has also made it easier for fraudsters to conceal the origins of illegally obtained funds, making them appear to come from a legitimate source.  Indeed, with money laundering schemes costing some 2-5% of the global GDP – up to 30% of that figure originating in the US alone (costing upwards of $300B a year) – it’s pertinent that businesses respond appropriately to the guidance of authoritative and regulatory bodies worldwide. This is where the anti-money laundering (AML) risk assessment comes in.

Let’s take a deep dive into why an AML risk assessment is necessary and the best practices for conducting an effective AML risk assessment as part of a larger AML compliance program.

What is an AML risk assessment?

An AML risk assessment is a key component of any AML tool kit, enabling businesses to measure the likelihood that a customer or client is involved with money laundering or terrorist financing. An AML risk assessment will measure the risk level of each client, performing due diligence to minimize any potential involvement in a money laundering scheme.

Who conducts an AML risk assessment?

Ultimately, an AML risk assessment is a worthwhile process for any organization that conducts financial transactions. Regulators worldwide have made it mandatory for financial institutions under the AML and Counter-Terrorism Financing (CTF) laws and regulations to take the appropriate preventative measures against such financial crimes, or else risk serious penalties and regulatory audits.

How is AML regulated?

To combat AML worldwide, the Financial Action Task Force (FATF), an inter-governmental body that sets standards to guide countries to develop and update their AML and CTF laws, has been created. The FATF includes 39 members and 37 member jurisdictions, as well as the European Commission and the Gulf Cooperation Council.

Specifically (and for example), the USA has the Bank Secrecy Act (BSA) and the US Patriot Act, Canada has the Proceeds of Crime (Money Laundering) and Terrorist Financing Act,  Australia has the AML/CTF Act, while Europe is guided by a series of legislative directives, including the most recently released Sixth AML Directive (6AMLD).

anti money laundering selection and risk assessment

The five steps to performing an AML risk assessment

While completing an AML risk assessment is necessary to comply with regulations, understanding the risk level of each client and transaction also protects your business and your reputation.  Below are five steps to follow to ensure compliance and protection. 

1. Document key risk indicators

The first step for conducting an AML risk assessment is to create the appropriate documentation regarding key risk indicators (KRIs) and, in turn, how they relate to your business. This documentation will outline the support for the risk analysis. Remember – document everything, including your thought processes. As information changes and evolves, it helps to have everything cataloged to be sure your processes stay up-to-date and relevant.

Common categories of KRIs that should be documented include:

  • Clients/Customers/Business entities

Which type of individuals do you do business with? Are they who they say they are? Some will have a higher risk, such as:

  • Politically Exposed Persons (PEPs)
  • Non-Resident Aliens
  • Professional Service Providers

Be sure to complete a sanction screening to confirm that any individual you are working with is not on any sanction lists. And remember, doing business with PEPs is not necessarily banned, it is simply deemed high risk.

Meanwhile, if your client is a business entity, ask yourself who ultimately controls or benefits from their activities? Be sure to cross-reference any information on file with records kept at the company’s house and other beneficial ownership registers.

  • Products/Services 

It’s important to understand and analyze the risks associated with the products and services you offer. For example, the following comes with higher risk:

  • Remote deposits
  • Probate services
  • Gambling services
  • Cryptocurrency services
  • ATM and cash services
  • Foreign correspondent accounts
  • Loan portfolios
  • Online account opening and access
  • Tax advice

When providing a higher-risk service, keep a lookout for any red flags associated with your customer’s behavior. For example, ask yourself: Are the services they require consistent with their business rationale?

  • Delivery channels

It’s a good idea to remember that some delivery channels can increase money laundering risk, especially if they can disguise the true identity of the client’s activity. Remember to consider whether the service/product will be delivered in person or remotely or provided directly or via an intermediary.

  • Geographic location

A core component of any AML risk assessment is identifying the geographic locations that pose a higher risk. For example, do you operate in an area where there are higher rates of drug trafficking? To be thorough, confirm geographic risk through a list from the FATF or other such organizations.

And don’t forget, your customer doesn’t need to be in a foreign land to set off a red flag. If they are in a different city or province, enquire as to why they are coming to you instead of seeking a similar service closer to them, geographically.

  • Transactions

Naturally, an AML risk assessment will involve the evaluation of the type of transactions your business engages in. For example, how does the number of international wire transfers compare to domestic ones? Or what is the volume of loan transactions and private ATM customers?

2. Employ dedicated staff

No matter the size of your organization, ensuring adequate staff is employed to dedicate time to compliance is essential when conducting your AML risk assessment. 

3. Identify the inherent risk

Inherent risk represents the exposure your business will have to money laundering risk should you not put any processes in place to mitigate them. This step of identifying the inherent risk builds upon your documentation process in step one.

Once you have identified the inherent risks to your organization, you need to implement controls to reduce them. These can be broken down simply into three categories: weak, adequate and strong.

4. Determine the residual risk

Once you have identified the inherent risk to your organization and, in turn, the effectiveness of the internal control environment you have in place, you can move on to determining the residual risk. This category of risk is defined as the risk that remains once controls have been put in place to mitigate the inherent risk. In other words, what gaps in your controls are present that could enable money laundering?

5. Rate the risk

Best practice involves applying a three-tier rating scale to assess the risk of money laundering or terrorism funding occurring, identified as high risk, moderate risk or low risk. Should the risk be rated high, your mitigation efforts are not effective enough and additional risk management measures should be implemented immediately. Ultimately, the strength of your controls can help determine the risk score. For example, when there are adequate controls in place, risk ratings might reduce from a three to a two.

Furthermore,  best practice dictates one assess the risk at all levels of AML-regulated business. This means that a risk assessment should be conducted at the following levels:

  • The transaction level (by whomever is dealing with the transaction)
  • The customer/client level (by whomever is dealing with the customer)
  • The business level (by the appropriate individual in senior management/legal/compliance)

Finally, when appropriate, it never hurts to go one step further and perform a risk assessment at the sectoral level, the national level and the international level.

Risk assessment

Cultivate a culture of compliance

Remember, the AML risk assessment process is an ongoing one. By cultivating a culture of compliance and conducting regular audits of your processes, you can be sure your organization remains aligned with regulatory changes and minimizes the likelihood of risk affecting your business and reputation.

How can you elevate your AML risk assessment?

Unfortunately, despite the risk assessments, controls and strict processes we implement, financial fraud is evolving faster than ever. In fact, in 2022, financial services businesses saw a 79% increase in document fraud compared to the previous year. Given the state of the current economic climate, this situation isn’t predicted to settle anytime soon.

Therefore, in an environment so fraught with fraud, going beyond the regulated assessment requirements is recommended. As we have discussed in previous blogs dedicated to KYC compliance, embracing a digital transformation strategy is a must. What this means is balancing your obligations to AML assessments and compliance with innovative, digital identity verification that can help protect your business against the latest sophisticated fraud trends without impacting the customer experience.

In fact, by enhancing your approach to AML (and KYC) compliance with comprehensive online capabilities like digital identity verification pre-AML risk assessment, you will not only better mitigate sophisticated fraud attacks, such as synthetic identities, but also provide an even more seamless customer experience from the very first touchpoint – account creation.

Want to discover how you can go beyond best practices for conducting your AML risk assessment with digital identity verification? Contact us today.

Louisa Farrar Avatar

About the Author

Related content