Hello – my name is Dawn Tindall and I am from Triangle Compliance Services and I provide advice and training on anti-money laundering. Today I am talking about Risk Assessments and the importance of being thorough.
A Risk Assessment is a means of evaluating risks. It can be an assessment of a single scenario or a set of possibilities. It should be thorough and based on a fixed method.
Risk Assessments are the back bone of the compliance programme and take various forms. In this presentation I discuss the types of assessment and also an addition to the armoury – the Compliance Risk Assessment.
There are three main ones for AML/CFT purposes: the National Risk Assessment (NRA), the Business Risk Assessment (BRA) and the Relationship Risk Assessment. I believe each one builds upon the other.
In the first of FATF’s 2012 Recommendations, it states that “countries should identify, assess and understand the money laundering and terrorist financing risks for the country”. Whilst the UK issued their NRA in October 2015, Guernsey proposes to issue their NRA this year, having received the IMF’s model and had industry input.
The idea of the NRA is that it informs the next level namely the BRA or business risk assessment. Guernsey’s Regulations require businesses to “carry out and document a suitable and sufficient money laundering and terrorist financing business risk assessment which is specific to the … business”. The GFSC issued a detailed answer to FAQs on its website in September 2014 advising that the BRA “should identify the potential financial crime risks to which the business could be exposed”. They also reiterated that it is best practice to review the BRA whenever changes to the business or financial crime risks occur and at least on an annual basis. Due to the multitude of changes in these areas, the BRA is, therefore, a living document needing almost constant review.
The third level of assessment is the relationship risk assessment which is also made up of three stages – the risk profile, the risk assessment and the risk rating. The risk profile should set out the information regarding the specific relationship with the customer noting all financial crime risk indicators which include those that are compulsory, inherent, high or, if none, low. The risk assessment is the method by which a business assesses the profile, considering all the risks identified including the accumulation of those risks. If the high risk indicators are not compulsory ones, the business can decide not to assess the overall risk as high because of strong and compelling mitigating factors which should be identified and documented.
The third step is to give the relationship a risk rating and apply the appropriate level of CDD.
Under the Handbook the Board must take responsibility for the policy on reviewing compliance. The Compliance Risk Assessment, or compliance monitoring programme, is a means of assessing the appropriateness and effectiveness of compliance. With the FSB Handbook in its 10th year, a question also which needs to be asked is how mature is your compliance?
The term “maturity” refers to the degree to which an organisation’s processes have been formalised and integrated in the organisation’s operations.
The Director of Enforcement at the GFSC, Simon Gaudion, said in their 2015 Annual Report “One of the major topics for compliance professionals currently is regarding ‘compliance maturity’ which clearly needs to be set by the board and encompasses ethics, culture and corporate governance.”
A well thought through Compliance Risk Assessment should look at whether your compliance policies and procedures have embedded within your firm’s culture. If it has it will spread the ownership of compliance and result in the increase in effectiveness. Which can only be a good thing.
Thank you for listening to this short presentation. Please contact me if you wish to know about Risk Assessments or how Triangle Compliance Services can help your firm.