ECSH33205 - Checking risk assessment and management
Introduction
A business-wide risk assessment is required by regulation 18 (for money laundering and terrorist financing risk) and 18A (in relation to proliferation financing) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations (MLR 2017). You must ensure you are familiar with the requirements of these regulations
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
When preparing for a compliance check, you would usually request a copy of the business’s risk assessment documents to review in advance – see ECSH 32825 detailing information and documents requested before an intervention.
This gives you an indication of the risks associated to the business’s activities and helps to gauge the level of understanding and compliance before conducting the compliance check. You will get a fuller understanding of the risk when you have spoken to the business and understand how it operates.
You should also refer to the risk assessment at various stages throughout your compliance check. For example, you should do this:
- during and after your interview with the business to ensure what was said corresponds with the written risk assessment
- after you’ve reviewed the client list or transaction list to ensure that the business has appropriately identified and assessed the risks it is subject to
- after you’ve conducted records testing – see ECSH 33700 on records testing
The overall aim of checking the risk assessment document is to ensure the business has recorded the steps taken when assessing money laundering, terrorist financing and proliferation financing (ML/TF/PF) risk within its business, and to establish if it is functioning effectively in driving the business’s anti-money laundering and countering the financing of terrorism and proliferation (AML/CFT/CFP) procedures.
This will be confirmed when testing individual customer files and transaction records - see ECSH 33700 Records testing - to ensure that customer due diligence and monitoring procedures are appropriate to the level of risk associated to its customers, geographic locations, products or services, transactions and delivery channels.
You must use judgement to evaluate if the business has identified and assessed all the risks it is potentially exposed to, or if there are weaknesses in the risk identification and management systems resulting in an increased risk of ML/TF/PF taking place.
Requesting the risk assessment
Depending on the circumstances of your case, you may have requested a copy of the risk assessment:
- during your initial contact with the business alongside other documents for a compliance check - ECSH 32820 What to establish
- when determining an application for registration for anti-money laundering supervision for money service businesses (MSBs) and trust or company service providers (TCSPs). In this case, the risk assessment may be requested by letter - ECSH 45815 The fit and proper test – RA and PCP inspection
You should be aware that requesting the risk assessment prior to the compliance check may not apply in certain circumstances, such as an unannounced or branch/agent visit.
You must consider:
- the format of the documents and how the business will provide them to you (post, email or by Dropbox)
- the time frame for providing the documents
- the relevant period that the documents cover
More information on requesting the risk assessment can be found at ECSH 32825.
You must ask for the most up to date document and the relevant period that the risk assessment covers. It is important that you obtain a copy of any previous versions which were in place for the relevant period you select for your compliance check. For more information on the relevant period, see ECSH 32825 Information and documents requested before an intervention. You may need to ask further questions to establish when the risk assessment was created, implemented and updated by the business.
What to do if the business does not send you the risk assessment
If the business does not send the risk assessment, you should follow the guidance titled “What to do if the business does not send you the information requested” which can be found in ECSH 32825
What to do if the business confirms there is no risk assessment in writing
When requesting the written risk assessment, the business may say that it does not have a risk assessment in writing. You may need to explain what is meant by risk assessment and check that the business understands your request. You should also check whether it is included in any other business documents - more guidance can be found at ECSH 32825.
If the business confirms that it does not have a risk assessment in writing, you should tell the business that this is a breach of regulation 18(4) (for money laundering and terrorist financing) and/or 18A (4) (for proliferation financing) of MLR 2017 and they need to correct the breach as soon as possible.
You must direct the business to guidance available on GOV.UK, and other help and support available.
You should note that a business may have conducted a risk assessment but failed to record it in writing. You must confirm this with the business as soon as possible, leaving no ambiguity, as there are distinct breaches of regulation 18(1) and 18A(1) and 18(4) and 18A(4) you must establish -
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
In either case, you will need to confirm the business’s assessment of ML/TF/PF risks in its business through thorough questioning – see ECSH 33000, How to do a compliance check for more details.
Business wide risk assessment vs client risk assessments
You should be aware that the business-wide risk assessment, which identifies and assesses all the ML/TF/PF risks the business faces, is different from an individual client risk assessment.
An individual client risk assessment is a document that businesses may sometimes use to individually risk assess their clients. (You may request to see individual client risk assessments if applicable to your case during the transaction testing part of your compliance check, see ECSH 33700 Records testing]).
If the business only sends you a client risk assessment, you should ask further questions to establish if they have a business-wide risk assessment located anywhere else. A client risk assessment on its own without a business-wide risk assessment is unlikely to meet the requirements of regulation 18 and 18A.
Reviewing a risk assessment in writing
Your review of the risk assessment is to confirm that the business is following a risk-based approach and focusing resources where the risks are highest.
The risk assessment can be in any format, but it must be in writing. It doesn't have to be a separate document and it may be included within other business risk assessments covering other risks relevant to the business. Sometimes it may be included within the same document as the policies, controls and procedures
Once you have received a copy of the business’s risk assessment document/s, you must set aside time to review it in detail. You should review it in line with:
- all parts of regulation 18 and 18A of MLR 2017
- the technical
guidance
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
- what you know about the business (such as its activities, size, and structure) from your initial review
- the results of your initial contact - see ECSH 32910 Results from initial contact and review of documents, and
- the sector specific risks – see ECSH 32930 Sector specific risks
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
Remember, risks are fluid and vary in every business you encounter so you must be adaptable in your review of the business’s risk assessment.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
Templates and third-party providers
You may find that the business has used a template to create the risk assessment. This may be acceptable, provided it has been fully completed and accurately identifies and assesses the specific risks of ML/TF/PF to the business. (This content has been withheld because of exemptions in the Freedom of Information Act 2000) You may find that the risk assessment has been created by a third-party provider.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
Who is responsible for the risk assessment?
It’s important to note that the business is responsible for the risk assessment even if it has been provided by an independent adviser.
Similarly, a franchisor may have provided a risk assessment to its franchisees. However, if the franchisees are registered as separate businesses and independently registered for anti-money laundering supervision, they must carry out their own risk assessment.
For principal and agent relationships, most commonly seen in money service businesses, you must read the guidance in [link to ECSH 51080 Principal/Agents Networks].
Length of the risk assessment
There isn’t a template or “one size fits all” length for a risk assessment. The risks each business faces will differ greatly due to the size and nature of the business activities. You will need to decide if the risk assessment adequately and all the risk factors.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)