LESSONS FROM THOSE NAMED AND SHAMED – PART 2
In Part 1, I noted there seemed to be three reoccurring themes why the GFSC took enforcement action against these three firms namely:
- risk assessments
- ongoing and effective monitoring
- enhanced due diligence for high risk relationships.
In this Part, I am looking at risk assessments.
Assessments come in various forms but there are three main ones for AML/CFT purposes: the National Risk Assessment (NRA), the Business Risk Assessment (BRA) and the Relationship Risk Assessment. I believe each one builds upon the other.
In the first of FATF’s 2012 Recommendations, it states that “countries should identify, assess and understand the money laundering and terrorist financing risks for the country”. Whilst the UK issued their NRA in October 2015, Guernsey proposes to issue their NRA this year, having received the IMF’s model and had industry input.
The idea of the NRA is that it informs the next level namely the BRA or business risk assessment. Guernsey’s Regulations require businesses to “carry out and document a suitable and sufficient money laundering and terrorist financing business risk assessment which is specific to the … business”. The GFSC issued a detailed answer to FAQs on its website in September 2014 advising that the BRA “should identify the potential financial crime risks to which the business could be exposed”. They also reiterated that it is best practice to review the BRA whenever changes to the business or financial crime risks occur and at least on an annual basis. Due to the multitude of changes in these areas, the BRA is, therefore, a living document needing almost constant review.
The third level of assessment is the relationship risk assessment which is also made up of three stages – the risk profile, the risk assessment and the risk rating. The risk profile should set out the information regarding the specific relationship with the customer noting all financial crime risk indicators which include those that are compulsory, inherent, high or, if none, low. The risk assessment is the method by which a business assesses the profile, considering all the risks identified including the accumulation of those risks. If the high risk indicators are not compulsory ones, the business can decide not to assess the overall risk as high because of strong and compelling mitigating factors identified and documented.
The third step is to give the relationship a risk rating and apply the appropriate level of CDD.
MoneyVal (sorry to mention them again!) reiterated the problem highlighted by the IMF that, because non-resident customers, private banking and trusts and companies holding personal assets are not compulsory high risks in Guernsey, insufficient CDD in some instances is applied. Whilst the GFSC noted the evaluation recommendation for these new compulsory high risks, they pointed out that many businesses already include them as best practice.
Do you? Are your risk ratings correct? Without effective CDD and EDD will you fall into the trap of Willow, Confiànce and Provident?
In Part 3, I will consider the question of ongoing and effective monitoring and enhanced due diligence for high risk relationships.