FCA and PRA licenses (authorisations) and ongoing compliance support, training, recruitment. Contact us 7 days a week, 8am-11pm. Free consultations. Phone / Whatsapp: +4478 3368 4449  Email: hirett.co.uk@gmail.com

1 Introduction

This risk assessment template is to be used in conjunction with [Your Company Name’s] (hereinafter referred to as the “Company”) Risk Management Procedures and Anti-Money Laundering Policy and has been designed as a tool for identifying, assessing and managing the risks of money laundering and terrorist financing.

All businesses with obligations under the Money Laundering Regulations are required to assess the risks posed to the company from money laundering and terrorist financing and are required to put policies and controls into place to manage and where possible, mitigate such risks. This template has been designed to aid the Company in their risk assessment and ongoing monitoring and to help us: –

  • Carry out a risk assessment identifying where the Company is vulnerable to money laundering and terrorist financing
  • Prepare, maintain, and approve a written policy statement, controls, and procedures to show how the Company will manage the risks of money laundering and terrorist financing identified through any risk assessment(s)
  • Review and update the policies, controls, and procedures to reflect changes to the risks faced by the Company
  • Provide training and guidance to all employees on the identified risks and how to effectively implement the policies and controls and to monitoring the risks and outcomes
  • Ensure that adequate resources, funds and systems are in place to support the controls needed to identify, assess and manage risks
  • Monitor the effectiveness and adequacy of the Company’s policies, controls and procedures and make improvements where required

2 Risk Assessment

The Company are obligated to carry out a company-wide risk assessment to identify areas of vulnerability relating to money laundering and to record any risks posed to the Company. We already have dedicated Risk Management procedures and controls for assessing all risks associated with the Company and utilise these procedures for completing this assessment. However, as the risks posed by money laundering are company/industry specific, we utilise this template to aid in creating a written risk assessment that relates solely to the prevention of money laundering and terrorist financing within the organisation.

This assessment enables a pre-emptive approach to risk and allows the Company to apply corrective actions and mitigating controls to effectively eliminate, reduce or manage such risks and vulnerabilities.  The overall aim of this assessment is to identify any area of vulnerability with regard to money laundering and to create a complete profile of any risks posed to the Company.

Through our risk management controls, we aim to eliminate or reduce the risk to an acceptable level. The overall scope of the risk solutions is to either: –

  • Eliminate
  • Reduce
  • Manage

In some cases, an identified risk can be eliminated by putting certain controls or systems into place to ensure that the risk is eliminated altogether. However, in many cases risks have to be tolerated as part of a business and so we seek to reduce the risk to its lowest possible affect through the use of controls, policies, systems and training. Where risks remain, we have defined controls and solutions to manage the outcomes to reduce the risk of money laundering in the Company to an absolute minimum.

2.1 Assessment Requirements

Once we identify each risk, we then assess the risk, the impact and the likelihood, and record the origin, nature, particularity and severity of that risk, along with the operation/factor causing the risk and any mitigating measures and/or proposed solutions or controls for managing the risk.

We utilise supervisory authority guidance when considering what risks the Company may face, including resources from the HMRC, FCA and JMLSG. The below table are examples of the areas we assess for risk, but is by no means an exhaustive list.

RISK AREA RISK DESCRIPTION
CUSTOMERS & RELATIONSHIPS
  • Types of customer
  • Location of customer
  • The business relationship is conducted in unusual circumstances
  • How customer is introduced
  • Where customers’ funds come from
  • Where customers’ funds go to
  • Customers’ background & due diligence checks
  • Verification of customers’ identity (or company validation)
  • Customer referral (i.e. has referrer carried out adequate due diligence)
  • Customer behaviour (i.e. large cash transactions; one-off transactions; regular transactions with the same individual(s)
  • Complicated ownership structures
  • Customers from high-risk sectors or businesses
  • Politically exposed persons (PEP’s)
  • Clients seeking anonymity
  • Remote clients
  • The customer is a legal person or legal arrangement that is a vehicle for holding personal assets
  • The corporate structure of the customer is unusual or excessively complex given the nature of the company’s business
  • The customer is a company that has nominee shareholders or shares in bearer form
  • The customer is a business that is cash intensive
  • The customer is the beneficiary of a life insurance policy
  • The customer is a third country national who is applying for residence rights in or citizenship of an EEA state in exchange for transfers of capital, purchase of a property, government bonds or investment in corporate entities in that EEA state
TRANSACTIONS
  • High value transactions (volume or value)
  • One-off transactions
  • Cash sales
  • Accepting high charges and/or penalties
  • Enters into transactions that do not make commercial sense
  • Is involved in transactions where you cannot easily check where funds have come from
  • Source of funds/wealth
  • Patterns of transactions
  • Payments from/to third parties
  • Unusual or complex transactions
PRODUCTS,

SERVICES & DELIVERY CHANNEL
  • Assets handled
  • Products/services that enable money to be placed in the business, or moved from/through it
  • Products/services that enable ownership of assets to be disguised
  • The product involves private banking
  • The product or transaction is one which might favour anonymity
  • The situation involves non-face-to-face business relationships or transactions, without certain safeguards, such as an electronic identification process which meets the conditions set out in regulation 28(19);
  • Delivery channels (especially where new)
  • Where new products and new business practices are involved
  • Conveyancing and/or property rental
  • Managing trusts or companies
  • New products or delivery mechanisms
  • The service involves the provision of nominee directors, nominee shareholders or shadow directors, or the formation of companies in a third country
  • There is a transaction related to oil, arms, precious metals, tobacco products, cultural artefacts, ivory, or other items related to protected species, or other items of archaeological, historical, cultural or religious significance or of rare scientific value
BUSINESS
  • Products/services offered
  • Activities undertaken
  • Employee screening and due diligence
  • Types of business relationship
  • Adequate systems and backup plans
LOCATION
  • Geographical location
  • High risk countries (e. corruption)
  • Countries with no/little AML regulations (FATF)
  • Countries subject to sanctions, embargos, or similar measures
  • Countries providing funding or support for terrorism

[The above list is non-exhaustive but can be used to carry out your AML risk assessment. You should consider the size and scope of your business when completing the risk assessment.]

2.2 Risk Assessment Team

The Company’s [nominated officer/MLRO/AML lead] has been appointed to carry out the money laundering risk assessment and to record the necessary information and report the results to the Senior Management Team/Directors.

Dependant on the size of the organisation, the appointed person may require a team to assist in the assessment and management aspects and will choose specific team members who have: –

  • An understanding of the project’s aims and the organisation’s objective
  • The authority to influence the design and development of the project and participate in decisions
  • Expertise in money laundering and terrorist financing regulations and matters
  • The ability to assess and suggest solutions to risks and develop mitigating actions
  • The ability to communicate effectively with stakeholders and management
  • The AML Lead can at any point in the risk assessment process, engage other members to assist in specific areas as they deem fit or necessary (i.e. IT with regards to systems)

3 Risk Assessment Stages

We have divided the Risk Assessment into stages to ensure that all aspects are covered, reviewed and documented. Each stage is covered in detail under its category heading.

  • Stage 1. Identify the Risks – risks will include customers, businesses, suppliers, transactional, geographical, system related and products/services. All departments and business areas will be assessed for vulnerabilities and risks and these will be recorded on the risk register located within the Company’s Risk Management program
  • Stage 2. Mitigation & Risk Management – identify controls, measures, systems, training and/or procedures that can reduce, eliminate or manage the identified risks. With suggested controls, reassessment of the risk rating is carried out as some risks will then have a lower risk rating
  • Stage 3. Development & Implementation – any controls, measures or systems identified in stage 2 that are not already in place are developed, sourced and/or implemented. Responsibility is assigned to a lead for each control project and an estimated completion date is defined to ensure that all projects remain on track
  • Stage 4. Authorisation – all stages of the risk assessment must be recorded using the provided templates and authorisation must be obtained from [Director/Senior Manager]
  • Stage 5. Monitoring & Review – procedures, controls and measures must be reviewed and reassessed annually to ensure they are still valid, effective and adequate. Risks to the Company should be reassessed and any new risks added to the risk assessment template

3.1 Identify the Risks and Vulnerabilities

The risks each business faces from money laundering and terrorist financing can vary greatly, which is why each company must complete their own risk assessment and not rely on the findings or suggestions of a single resource. Size, scope, sector and service all have a vast effect on how a company can be used for financial criminal activity and so assessing and documenting such risks or areas of vulnerability will ensure that controls can be put into place to reasonably reduce the risks.

Risks will usually fall into one of four categories: –

  • Risk from Customers/Clients – Such risks can come from a variety of sources, including due diligence checks and identity verifications; validating companies and business structures; working with or on behalf of third-parties or unknown/vague customers.
  • Transaction Risks – Risks associated with the payments made/received from clients either direct to the company, coming from the company or going through the company. Considerations include the size and value of payments, cash transactions, unusual or complex transactions and those with certain patterns.
  • Product/Service Risks – Risks arising from the products and/or service offered by the company; with certain sectors having higher risk factors (i.e. those dealing with high-value assets, property interactions; accountancy etc). These risks also consider the delivery mechanisms used, how the product/service is accessed, and the form of payment received.
  • Business/Geographical – These can be risks associated with where the company is located or the geographical location of the customer (i.e. countries with no AML regulations or those with sanctions imposed); and also risks posed by the activities of the business itself, as well as the size and scope of the business.

Once the risks have been identified, we use our standard Risk Management Procedures to aid in categorising the risk and also utilise the below risk matrix to assign a risk rating based on the severity of the impact and the likelihood of the risk occurring. This rating provides an easy to see colour code for how severe the risk is and the likelihood of it happening, ensuring that the Company can prioritise the allocation of the right resources and controls.

The risk rating table below uses the common ‘Red, Amber, Green (RAG)’ matrix, where each risk is given a RAG score based on the likelihood versus the impact.

LIKELIHOOD IMPACT
  Trivial (1) Minor (2) Moderate (3) Major (4) Severe (5)
Almost Certain (5) Low Med Medium High Very High Very High
Likely (4) Low Low Med Med High High Very High
Possible (3) Low Low Med Medium Med High High
Unlikely (2) Low Low Med Low Med Medium Med High
Rare (1) Low Low Low Med Medium Medium
Impact Score x Likelihood Score = Risk Rating
  • GREEN – All business is exposed to certain risks that have to be managed as they cannot be eliminated. No business will ever be completely risk free, however where the Company cannot eliminate a risk completely, we aim to reduce it to the lowest risk rating possible. The ideal acceptable risk will be rated green and means that it is unlikely to happen or is so minor that the effect of it occurring will not result in any major impact. Some of the risks identified will start out as green, whilst others originally identified as amber/red (moderate/severe) may be reduced to green (low) with adequate controls and measure applied. Some green rated risks are so minor that it is not feasible to put any controls into place; however, these are still referenced on the assessment record to evidence identification and ensure future monitoring.
  • AMBER – Where an assessment outcome is Amber, mitigating actions are always. The aim is to reduce all risks down to the lowest possible rating; however due to the nature or scope of some businesses, having moderate or high risks is a factor of the product/service offered and so cannot be reduced further. In such instances, controls and measures are developed to manage the risk as far as possible and to ensure that as many procedures, controls and measures as possible are applied to mitigate money laundering offences.
  • RED – Where an assessment outcome is Red, it indicates that either/both impact and likelihood scores are high and there is an increased risk of being vulnerable to money laundering or terrorist financing. If the risk can be eliminated through removal (i.e. discarding a new service due to high risks or inability to effectively manage the money laundering risks); it will be. However, the nature and scope of some financial organisations is such that the service, and products offered, or the activities undertaken are always vulnerable to money laundering or terrorist financing schemes. In such cases, controls and measures are developed and implemented to reduce and manage the risk as far as possible, however the risk will still retain a Red rating so that it is adequately monitored and reassessed accordingly.

The above process enables the Company to devise ways to reduce or eliminate money laundering risks and assess the costs and benefits of each approach, as well as looking at the impact such risks can have and the likelihood of them occurring. This enables a broader picture of each risk and a universal approach on managing the risks.

Once the risks have been identified, rated and managed, the Company will then reassess the risk using the same matrix, and reassign ratings that may have changed owing to the controls and measures developed and implemented.

[NOTE: Where you have identified a risk and have been able to eliminate it altogether through either controls or removal; you should still add this risk to the assessment table to indicate that it was identified initially and has since been removed or actioned.]

IDENTIFIED RISKS AND VULNERABILITIES
 
REF RISK SUMMARY CATEGORY ASSESSENT OF RISK RAG
# Brief risk summary i.e. Customer, Geographical  Provide a description of the risk or vulnerability Risk Rating
R1 E.g. Cash transactions Transactions The business can be exposed to customers who make high-value cash transactions. These customers will warrant additional controls over standard transaction types  

16
R2 E.g. Third-party referrals Customer We utilise 2 lead generators who pass customers to us but have not assessed the third-parties own due diligence measures. We may need extra due diligence on these customers on initial referral  

8
R3 E.g. Overseas clients Geographical The company currently only has 1 overseas client and are focusing services on local clients only 2
         
         
         

[Note: You can customise the template to suit your needs and business type and do not need to retain the suggested headings. Your aim is to identify and assess any and all risks to your business from money laundering and terrorist financing sources/factors. Some may be minor and already have controls in place, but you should still add them to the list to demonstrate a full risk assessment to your AML Supervisory Body]

3.2 Mitigation & Risk Management

Once all money laundering risks and vulnerabilities have been identified and rated, the Company then develop and evaluate solutions, controls and mitigating actions to reduce, eliminate or manage the risks. The Company recognise that it is not possible to eliminate all risks, but we aim to reduce them to an acceptable level and/or to have dedicated and adequate controls in place to manage the risk and ensure that we are complying with the Money Laundering Regulations and any other relevant obligations.

When applying the solutions or controls to the log, we use the risk rating obtained in the Risk Identification process to ensure that we know the current risk and what an acceptable level would be. Once all controls and actions have been added, we then repeat the risk rating assessment to record if the original risk rating has been reduced.

Some controls or procedures we consider when developing controls or managing risks include: –

  • Using due diligence questionnaires for simplified and standard due diligence checks on all customers and business relationships
  • Using an enhanced due diligence process for high-risk customers or business relationships
  • Carrying out identity and background checks on all customers and suppliers
  • Completing annual CRB, background and financial checks on all employees
  • Implementing systems to identify and monitor transaction patterns (i.e. high value, complex, unusual etc)
  • Implementing an employee training program dedicated to money laundering and the risks posed and identified
  • Identification and monitoring of clients who are PEP’s, Beneficial Owners and/or Beneficiaries
  • Signing up to newsletters and notifications from monitoring groups and bodies specific to money laundering and terrorist financial (i.e. FATF, OFSI etc)
  • [Add/delete as specific to your sector and business]
MITIGATING ACTIONS & PROPOSED RISK MANAGEMENT CONTROLS
 
REF RISK RAG CONTROL/MANAGEMENT RAG
# Risk to be controlled Current rating Actions, solutions and/or mitigating controls that address the risk New rating
R1 E.g. Cash transactions  

16

 1. Perform due diligence to identify client identity

2. Verify source of funds on all transactions over £2000

3. Review client business activities and associated relationships

  

10
R2 E.g. Third-party referrals  

8

 1. Make due diligence part of the lead generator agreement prior to customer referral

2. Carry out secondary due diligence on the customer after referral

  

4
         
         
         
         
         

[Note: You can customise the template to suit your needs and business type and do not need to retain the suggested headings. You should use the risks identified in the previous stage and now add any controls or procedures you have (or will develop) to help reduce or manage the risk. Once you have added as many controls as possible for each, you should reassess the original risk rating as some controls may have reduced the likelihood; impact or both for the risk, making it less of a priority than others.]

3.3 Development & Implementation

Some of the controls and measures identified in stage 2 may already be in place and should be reviewed for adequacy and effectiveness in accordance with the risk rating and desired outcome. Where a control or management action has been suggested but is not yet in place, the Company will assign each control to a relevant employee (including outsourced options) and ensure a completion timeframe and ongoing review is put into place.

Where a service, product or business activity poses a high risk and requires identified controls to reduce or manage the risk, the Company place a temporary hold on such services/activities until the relevant controls have been developed, implemented and assessed.

CONTROL AND MANAGEMENT DEVELOPMENT & INTEGRATATION
 
CONTROL/ACTION RESPONSIBILITY COMPLETION DATE PROGRESS/STATUS
Detail what actions must happen for the control or measure to be developed and implemented  Who is responsible for overseeing the project Proposed deadline Current progress or status
E.g. Contact software providers for transaction monitoring software to obtain systems for monitoring patterns or unusual transactions Jane Smith 12/08/2019 Awaiting company quote
E.g. Customer care team to develop an enhanced due diligence questionnaire form John Jones 08/07/2019 1st draft with Senor Management
E.g. Make due diligence part of the lead generators remit and add to the agreement between parties Zoe Harris Completed 18/05/2019 Implemented
       
       
       
       

[Use the above table to record any controls, measures or systems that are not yet in place and need to be developed, sourced and implemented to reduce or manage the relevant money laundering risk or vulnerability. Each control should be assigned a responsible person in charge or project oversight and should be given a timeframe and completion date to ensure that all controls are developed and implemented as soon as possible.]

4 Authorisation

All stages and aspects of the company-wide money laundering risk assessment are recorded and retained for 6 years after the completed assessment date. Annual risk assessments are completed using new templates so that previous assessments can always be referred to and provided to the supervisory authority if requested.

The completed risk assessment aims to demonstrate the Company’s commitment to preventing money laundering and terrorist financing and ensures that we are aware of all risks posed to the Company and any areas of vulnerability.

The finalised risk assessment is reviewed and authorised by [MLRO/Nominated Officer/Director/Senior Management].

MLRO/Nominated Officer:

Print Name:    _____________________           Date:         ______________

Assessment reviewed:           Yes/No                         Signed:    ___________________

Senior Manager:

Print Name:    _____________________           Date:       ______________

Assessment reviewed:           Yes/No                         Signed:   ___________________

Partner/Director:

Print Name:    _____________________           Date:      ______________

Assessment reviewed:           Yes/No                         Signed:  ___________________

5 Monitoring & Review

The completed risk assessment is reviewed on an [annual/bi-annual/quarterly] basis and each risk is reassessed to re-evaluate the risk rating, appropriateness and managing controls that have been put into place. Any new risks are added to a new risk assessment, with any risks that are no longer valid remaining on the previous risk assessment but not being carried over.

A new risk assessment summary document is provided annually based on the latest risk assessment and is filed/saved should it be requested by the supervising authority. The effectiveness of the Company’s policies, procedures and controls are evaluated during the review and/or reassessment, along with their adequacy. We utilise suspected and/or submitted suspicious activity reports and internal reviews to evaluate the effectiveness and adequacy of the controls we have in place.

The Company already have a dedicated audit and monitoring program in place which enables us to evaluate and examine the adequacy and effectiveness of the policies, controls and procedures that we have in place to meet all regulatory and legal requirements. This program is used to assess the ongoing effectiveness of our AML controls and procedures and adherence to the relevant laws and regulations.