In this short guide, we’ll cover the essentials of AML risk assessments and provide practical guidance on how to be ready for your next AML monitoring visit.
Good reasons for AML Risk Assessments
- It is a legal requirement with potential fines or imprisonment (up to 5 years)
- Keep your professional body happy. It is a key element requested during AML thematic reviews and monitoring visits.
- They can help identify and avoid (or remove) potentially problematic clients from your clientbase.
- Mitigate reputational risks for your business (non-compliance or an unidentified case of money-laundering)
- Ethical responsibility to counter money-laundering or illicit activities.
At AML HQ, we often refer to the 5 pillars of compliance, which helps articulate a practical approach for Accountancy firms to meet their AML obligations. When we consider the activities that involve Risk Assessment, we can see that it is a common theme embedded across the AML framework.
Business Risk Assessments (firm-wide)
The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2018 introduced a mandatory requirement to undertake a Business Risk Assessment.
The purpose of the Business Risk Assessment is to identify, assess and determine mitigating measures for AML risk across the entire practice, considering both internal and external factors.
The structure of the Business Risk Assessment is effectively set out in legislation and must consider the following risk factors:
- Types of customer that you have
- Products and services that you provide
- Countries or geographical areas in which you operate
- Type of transactions you carry out
- Delivery channels you use
You need to consider the latest National Risk Assessment for Money laundering and Terrorist Financing. The latest National Risk Assessments highlighted AML vulnerabilities in the Accountancy sector for practices that deliver the following services:
- Company and trust formations;
- Insolvency services;
- Providing financial advice;
- Providing tax advice;
- Handling client money;
- Managing client assets and financial accounts;
- Investment business services;
- Auditing financial statement; and
- Company secretarial services.
With regards to Geographical Risk Factors, you need to consider if your clients have associations or links with any of the Financial Action Task Force (FATF) list of high risk jurisdictions and those under increased monitoring. The list is updated three times a year following the FATF plenary meetings.
The latest list was published on 23 February 2024 and included the following countries: Democratic People's Republic of Korea, Iran, Myanmar, Bulgaria, Burkina Faso, Cameroon, Democratic Republic of the Congo, Croatia, Haiti, Jamaica,Kenya, Mali, Mozambique, Namibia, Nigeria, Philippines, Senegal, South Africa, South Sudan, Syria, Tanzania, Türkiye, Vietnam, Yemen.
Key Takeaways
- Conduct Business Risk Assessments annually or when there are material changes to your business.
- Using templates as a starting point is completely acceptable once they provide a true reflection of your business and that you add detail to reflect your operational context.
- Provide detailed information on specific clients, their associated risks, and actionable conclusions.
- By regularly monitoring and reviewing the effectiveness of AML controls and procedures, accountants can adapt their strategies to mitigate evolving risks effectively.
- Integrate assessment findings into your Policies, Controls, and Procedures (PCP) review.
- Digital services can automate and streamline risk assessments by aggregating and providing real time insights across you client base.
Client Risk Assessments
Conducting client-wide risk assessments is a required action for accountants to identify high-risk clients, tailor due diligence measures, adopt a risk-based approach and enhance overall risk management efforts.
Similar to the Business Risk Assessment you need a structured set of questions to assess each client under the different risk categories.
Geographic Risk Assessment
When assessing geographic risk, consider the following:
- Proximity to Your Firm: Is the client based within close proximity of your business? Have they come to your firm from the other side of the country because you will not be familiar with them or their associates?
- International Links: Is the client based, or have links outside of your country/jurisdiction? International transactions introduce additional complexities and potential risks. Consider factors such as cross-border regulations, cultural differences, and exposure to diverse financial systems.
- Sanctioned Jurisdictions: Does the client have any association with jurisdictions subject to sanctions? Transactions involving sanctioned countries or individuals pose elevated risks. Stay informed about global sanctions lists and monitor client activities accordingly.
- Weak AML Controls: Does the client transact with customers in countries listed as having weak AML and terrorist financing controls? Some regions may lack robust AML frameworks, making transactions riskier. Evaluate the adequacy of due diligence and monitoring in such cases.
Service Risk Assessment
Evaluate the specific services that you are providing to your client:
- Client Money Account Usage: Will you be providing client money account services? Handling client funds introduces inherent risks, especially if misused for illicit purposes. Implement strong controls and monitoring for such accounts.
- Trust or Company Services: Will you be providing trust or company services for the client (e.g., company formation or use of your address for correspondence)? These services may carry specific risks related to legal structures, beneficial ownership, and potential misuse. Conduct thorough due diligence on clients seeking such services.
Industry and Delivery Channel Risks
- Industry-Specific Risks: Consider the industry in which the client operates. Certain sectors, such as financial services, real estate, and gambling, are inherently higher risk due to their susceptibility to money laundering.
- Delivery Channels: Assess the channels through which the client conducts transactions (e.g., online, in-person, third-party intermediaries). Different channels have varying risk profiles. For instance, online channels may be susceptible to cyber-related risks, while face-to-face interactions allow for better scrutiny. Take appropriate measures to verify a clients identity based on your delivery channel.
Simplify and be consistent
The majority of practices that we work with have excel, word or paper templates in place to conduct risk assessments. From a compliance perspective that is of course fine; however, there are considerable efficiency gains to be realised by using intelligent and connected digital risk assessments.
Another important compliance point is that risk assessments are not static; they are fluid and ever changing and require continuous ongoing monitoring and review. Initial and ongoing monitoring needs to be documented and evidenced. If you don’t record it, it never happened.
Regardless of your approach to risk assessments, our advice would be to keep it simple and be consistent.
At AML HQ, we simplify AML compliance for sole practitioners and SME practices. Our all-in-one solution includes AML client files, policies, controls, intelligent firmwide risk assessment, staff training, identity verification, and more.
For a streamlined approach to AML compliance, try AML HQ, our secure portal will address all your AML obligations. Book a call with our team to see how you can set up and achieve compliance in less than 1 hour.
Compliance made easy