I am a strong proponent of conducting a risks assessment as part of an overall ethics and compliance program. However, I often caution companies to balance benefits and costs, and not to conduct a glitzy, high-priced risk assessment. Instead, I encourage companies to conduct a cost-effective risk and compliance program assessment that focuses on risk, mitigation of such risks and measurement of residual risks.
Too often I see companies pay too much money for a risk assessment that tells them what they already know. The pictures and fancy graphs may be attractive but the question should always focus on whether or not the risk assessment delivers value to the company and was a wise expenditure of valuable compliance program funds.
A risk assessment should identify, analyze and understand risks as a preliminary step to mitigate those risks in the most effective manner possible. It is easy to get lost in AML risk terminology – in many respects, this is often an unnecessary diversion from a focused process.
“Inherent risks” is the risks to an entity in the absence of any action taken by the company to mitigate or control these risks.
“Risk controls” are processes to mitigate or reduce the possibility that such a risk will actually occur.
In the AML context, some examples of risk controls include prohibiting the offering of products or services to a specific customer (e.g. money service businesses); supervisory review and approval of a documentation checklist completed by an account manager prior to an account opening; site visits of high-risk customers; or use of an automated monitoring system to detect potentially suspicious activity.
“Residual risks” are the risks that remain after application of rick controls. Whether the residual risk is acceptable to a company depends on its risk tolerance for acceptable risk levels.
In the AML context, businesses are high risk for money laundering if they: (i) are cash-intensive businesses and they allow easy conversation of cash into other assets; (ii) lack transparency; (iii) involve international transactions/customers; or (iv) offer high-risk or high-value products.
High-risk products or services involve: (i) unlimited third-party transactions (e.g., demand deposit accounts) (ii) limited transparency (e.g., Internet banking, prepaid access, ATM, trust), and: (iii) significant international transactions (e.g., correspondent banking).
Additionally, transactions that are processed quickly (i.e. electronically) such as wire transfers, or are difficult to trace such as cash or negotiable instruments (e.g., monetary instruments, drafts, bearer securities, stored-value cards) also are high-risk activities for money laundering.
Along with customer and product/service risks, a risk assessment should focus on geographic risks. In this inquiry, financial institutions should develop an objective approach to geographic risk, focusing on: (i) strength of AML system in country; (ii) amount of corruption; (iii) designation as a tax haven or as a state sponsor of terrorism; (iv) level of secrecy laws; (v) level of drug trafficking activities; or (vi) designation of human trafficking or smuggling region.
AML risk assessments can be conducted for a variety of purposes, including: (i) enterprise-wide risk assessment to aggregate the financial institution’s overall risk level; (ii) line of business risk assessment to identify the level of business for a particular line of business (including customer base, geography and controls); (iii) geographic risk assessment; (iv) customer risk assessment; (v) OFAC/Sanctions risk assessment.