The 2007 Regulations permit a risk-based approach to compliance withobligations.
This approach does not apply to reporting suspicious activity, because POCA and the Terrorism Act lay down specific legal requirements not to engage in certain activities and to make reports of suspicious activities once a suspicion is held. The risk-based approach still applies to ongoing monitoring of clients and retainers which enables suspicions to be identified.
The possibility of being used to assist with money laundering and terrorist financing poses many risks for businesses, including:
These risks must be identified, assessed and mitigated, just as businesses do for all business risks that they face. If a business knows its clients well and understands their instructions thoroughly, it will be better placed to assess risks and spot suspicious activities. Applying the risk-based approach will vary between firms. While businesses can, and should, start from the premise that most of their clients are not launderers or terrorist financers, they must assess the risk level particular to their business and implement reasonable and considered controls to minimise those risks.
No matter how thorough the risk assessment or how appropriate the controls, some criminals may still succeed in exploiting a business for criminal purposes. But an effective, risk-based approach and documented, risk-based judgements on individual clients and retainers will enable a business to justify its position on managing the risk to law enforcement, courts and professional supervisors (oversight bodies).
The risk-based approach means that businesses focus their resources on the areas of greatest risk. The resulting benefits of this approach include:
All businesses must have appropriate policies and procedures for assessment and management of the risk of the business being used for money laundering, of failing to recognise it where it occurs and report it when required.
Businesses are likely to already have in place policies and procedures to minimise professional, client and legal risk. Businesses can extend their existing risk management systems to address anti-money laundering and counter terrorist financing risks. The detail and sophistication of these systems will depend on the business's size and the complexity of the business it undertakes. Ways of incorporating the risk assessment of clients, business relationships and transactions into the overall risk assessment will be governed by the size of the business and how regularly compliance staff and senior management are involved in day-to-day activities.
Issues which may be covered in a risk assessment system include:
Senior management engagement and commitment is needed to produce and embed a successful risk-based approach, and it also needs effective communication to all staff members who need to use it.
In developing a risk-based approach, businesses need to ensure it is readily comprehensible and easy to use for all relevant staff. In cases of doubt or complexity, businesses may wish to consider putting in place procedures where queries may be referred to a senior and experienced person, e.g. the MLRO for a risk-based decision which may vary from standard procedures.
The risk profile of a business depends on its size, type of clients, and the practice/service areas it engages in.
Businesses should consider the following factors:
A business's client demographic can affect the risk of money laundering or terrorist financing.
Factors which may vary the risk level include whether a business:
Some service and practice areas could provide opportunities to facilitate money laundering or terrorist financing. For example:
Businesses should determine the risks posed by a specific client or retainer. This may involve considering whether:
Businesses can decide for themselves how to carry out their risk assessment, which may be simple or sophisticated depending on the nature of their business. Where, for example, the business is simple, involving few service lines, with most clients falling into similar categories, a simple approach may be appropriate for most clients, with the focus being on those clients that fall outside the norm.
Or businesses may assess the money laundering risks of:
and apply a simple risk categorisation of low/normal/high on the basis of these categories. Such an approach is valid, and should be capable of minimising complexity, but needs to retain an element of discretion and flexibility where risk ratings may be raised or lowered with appropriate management input in response to particular or exceptional circumstances.
This categorisation can then be incorporated into client acceptance procedures, and as step 1 of the customer due diligence process, allows a money laundering risk level to be assigned to ensure appropriate, but not excessive, customer due diligence work is carried out.
This helps businesses to adjust their internal controls to the appropriate level of risk presented by the individual client or the particular retainer. Different aspects of the business's CDD controls will meet the different risks posed:
Businesses are required to monitor and manage their compliance with and internal communication of their policies and procedures and this includes their systems for risk assessment and management, as well as their other anti-money laundering policies and procedures. All such systems should be managed through monitoring the operation of the controls, updating them where necessary and assessing whether they have been effective.
Risk assessment is an ongoing process both for businesses generally and for each client, business relationship and retainer. It is the overall information held by a business gathered while acting for the client that will inform the risk assessment process. For example, businesses may, during the course of a transaction or business relationship, become aware of activity in the client's business which they perceive as likely, by its nature, to be related to money laundering or terrorist financing (in particular, complex or unusually large transactions and all unusual patterns of transactions which have no apparent economic or visible lawful purpose). In those circumstances, businesses have a duty to pay special attention to such an activity.
It is important, therefore, for any approach adopted to incorporate provisions for raising the risk rating from low or normal to high if any information comes to light in conducting the customer due diligence or subsequently that causes concern or suspicion.
In all cases, even where clients qualify forunder the terms of the 2007 Regulations, or where they are considered low risk for other reasons, to assist in effective ongoing monitoring businesses should gather knowledge about the client to allow understanding of: