A risk-based approach is the adoption of a risk management process for dealing with money laundering and terrorist financing. This process encompasses recognising the existence of the risk(s), undertaking an assessment of the risk(s) and developing policies, procedures and controls to manage and mitigate the identified risks.
The Board and senior management of any business are responsible for managing the business effectively. They are in the best position to evaluate all potential risks including those of ML/FT. The rules in chapter 2 of the Handbook in relation to corporate governance make it clear that the Board has effective responsibility for compliance with the Regulations and the Handbook and therefore it must take ownership of and responsibility for the Business Risk Assessment (“BRA”).
Guidance on identifying and assessing the risks of how a financial services business might be involved in ML/FT taking into account its customers, products and services and the ways in which it provides those services is provided in section 3.3 of the AML/CFT Handbook.
What should it contain?
At a minimum, a BRA should reflect that appropriate steps have been taken in order to identify and assess the risk of the entity being used to launder the proceeds of crime or to finance terrorism (for customers; jurisdictions or geographic areas; and products/services/transactions/delivery channels). In addition, the BRA should reflect the identification and assessment of other relevant risks. For example, in some cases this might include outsourcing. These assessments should be documented in order to demonstrate their basis and be kept up to date.
In addition to identifying the particular areas of vulnerability to the risk of ML/FT, a BRA should contain references as to how the entity manages or mitigates the risks which it has identified. For example including a reference in the BRA that the higher risks associated with relationships with high risk jurisdictions are addressed by having suitable enhanced due diligence procedures and corresponding review and monitoring processes.
Industry sectors will have inherent and/or generic risk factors and these will need to be referenced. Additionally, individual entities will also have risk factors particular to that entity which will need to be referenced in their BRA.
What should it not contain?
The BRA should not simply be a cut and paste version of the relevant sections of the Handbook as this does not demonstrate that the Board has given serious consideration to the vulnerabilities particular to the entity.
It should not be a generic document which has simply been populated with general information as this, once again, does not demonstrate that the Board has given serious consideration to the vulnerabilities particular to the entity.
It should not contain unsubstantiated, highly generalised references to risk faced by the business. For example, a reference to all business being low risk would not be acceptable unless it was backed up with sufficient information as to how this assessment had been made.
It should not be a mix of ML/FT and prudential risk. If the firm wishes to combine the assessment of ML/FT and prudential risk in one document there needs to be a clear division between the two assessments.
Although, as identified previously, a BRA should contain references as to how the entity manages or mitigates the risks which it has identified it does not necessarily have to include the detail of how the identified risks are managed and mitigated as this may be fully addressed in the procedures and controls document(s).