Economic Crime Supervision Handbook

ECSH33205 - Checking risk assessment and management

A business-wide risk assessment is required by regulation 18 (for money laundering and terrorist financing risk) and 18A (in relation to proliferation financing) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations (MLR 2017). You must ensure you are familiar with the requirements of the MLR 2017.

When preparing for a compliance intervention, you would usually request a copy of the business’s risk assessment documents to review in advance. 

This gives you an indication of the risks associated to the business’s activities and helps to gauge the level of understanding and compliance before conducting the compliance intervention. You will get a fuller understanding of the risk when you have spoken to the business and understand how it operates.

You should also refer to the risk assessment at various stages throughout your compliance intervention. For example, you should do this:

• During and after your interview with the business to ensure what was said corresponds with the written risk assessment.
• After you’ve reviewed the client list or transaction list to ensure that the business has appropriately identified and assessed the risks it is subject to.
• After you’ve conducted records testing – see ECSH33700.

The overall aim of checking the risk assessment document is to ensure the business has recorded the steps taken  when assessing money laundering, terrorist financing and proliferation financing (ML/TF/PF) risk within its business, and to establish if it is functioning effectively in driving the business’s anti-money laundering and countering the financing of terrorism and proliferation (AML/CFT/CFP) procedures.

This will be confirmed when testing individual customer files and transaction records to ensure that customer due diligence and monitoring procedures are appropriate to the level of risk associated to its customers, geographic locations, products or services, transactions and delivery channels.

You must use judgement to evaluate if the business has identified and assessed all the risks it is potentially exposed to, or if there are weaknesses in the risk identification and management systems resulting in an increased risk of ML/TF/PF taking place.

Requesting the risk assessment

Depending on the circumstances of your case, you may have requested a copy of the risk assessment:

• During your initial contact with the business alongside other documents for a compliance check - ECSH 32820.
• When determining an application for registration for anti-money laundering supervision for money service businesses (MSBs) and trust or company service providers (TCSPs). In this case, the risk assessment may be requested by letter.

You should be aware that requesting the risk assessment prior to the compliance intervention may not apply in certain circumstances, such as an unannounced or branch/agent visit.

You must consider:

• The format of the documents and how the business will provide them to you (post, email or by Dropbox).
• The time frame for providing the documents.
• The relevant period that the documents cover.

More information on requesting the risk assessment can be found at ECSH32825.

You must ask for the most up to date document and the relevant period that the risk assessment covers. It is important that you obtain a copy of any previous versions which were in place for the relevant period you select for your compliance check. For more information on the relevant period, see ECSH32825. You may need to ask further questions to establish when the risk assessment was created, implemented and updated by the business.

What to do if the business does not send you the risk assessment

If the business does not send the risk assessment, you should follow the guidance titled “What to do if the business does not send you the information requested” which can be found in ECSH32825

What to do if the business confirms there is no risk assessment in writing

When requesting the written risk assessment, the business may say that it does not have a risk assessment in writing. You may need to explain what is meant by risk assessment and check that the business understands your request. You should also check whether it is included in any other business documents - more guidance can be found at ECSH32825.

If the business confirms that it does not have a risk assessment in writing, you should tell the business that this is a breach of regulation 18(4) (for money laundering and terrorist financing) and/or 18A (4) (for proliferation financing) of MLR 2017 and they need to correct the breach as soon as possible.

You must direct the business to guidance available on GOV.UK, and other help and support available.

You should note that a business may have conducted a risk assessment but failed to record it in writing. You must confirm this with the business as soon as possible, leaving no ambiguity, as there are distinct breaches of regulation 18(1) and 18A(1) and 18(4) and 18A(4) you must establish. 

In either case, you will need to confirm the business’s assessment of ML/TF/PF risks in its business through thorough questioning – see ECSH 33000 for more details.

Business wide risk assessment vs client risk assessments

You should be aware that the business-wide risk assessment, which identifies and assesses all the ML/TF/PF risks the business faces, is different from an individual client risk assessment.

An individual client risk assessment is a document that businesses may sometimes use to individually risk assess their clients. (You may request to see individual client risk assessments if applicable to your case during the transaction testing part of your compliance check, see ECSH 33700).

If the business only sends you a client risk assessment, you should ask further questions to establish if they have a business-wide risk assessment located anywhere else. A client risk assessment on its own without a business-wide risk assessment is unlikely to meet the requirements of regulations 18 and 18A.

Reviewing a risk assessment in writing

Your review of the risk assessment is to confirm that the business is following a risk-based approach and focusing resources where the risks are highest.

The risk assessment can be in any format, but it must be in writing. It doesn't have to be a separate document and it may be included within other business risk assessments covering other risks relevant to the business. Sometimes it may be included within the same document as the policies, controls and procedures

Once you have received a copy of the business’s risk assessment document/s, you must set aside time to review it in detail. You should review it in line with:

• All parts of regulation 18 and 18A of MLR 2017
• The technical guidance at ECSH60000.
• What you know about the business (such as its activities, size, and structure) from your initial review.
• The results of your initial contact - see ECSH 32910 Results from initial contact and review of documents.  
• The sector specific risks  – see ECSH 32930 Sector specific risks.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

Remember, risks are fluid and vary in every business you encounter so you must be adaptable in your review of the business’s risk assessment.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

Templates and third-party providers

You may find that the business has used a template to create the risk assessment. This may be acceptable, provided it has been fully completed and accurately identifies and assesses the specific risks of ML/TF/PF to the business.  For example, if you review a risk assessment which appears to be a template with pre-populated fields, you should ask further questions to check how the business has identified and assessed these risks. You should then re-check the written risk assessment to ensure it covers what the business has told you. You may find that the risk assessment has been created by a third-party provider.

Again, as above, you should review the risk assessment and ask further questions to understand how much involvement the third-party had in creating the risk assessment and whether the risk assessment identifies and assesses all the risks the business is subject to. You should check whether the business understands all the risks identified and assessed as detailed in the risk assessment through your questioning.

Who is responsible for the risk assessment?

It’s important to note that the business is responsible for the risk assessment even if it has been provided by an independent adviser.

Similarly, a franchisor may have provided a risk assessment to its franchisees. However, if the franchisees are registered as separate businesses and independently registered for anti-money laundering supervision, they must carry out their own risk assessment.

For principal and agent relationships, most commonly seen in money service businesses, you must read the guidance in ECSH51080. 

Length of the risk assessment

There isn’t a template or “one size fits all” length for a risk assessment. The risks each business faces will differ greatly due to the size and nature of the business activities. You will need to decide if the risk assessment adequately and all the risk factors.

Checking the risk assessment through questioning

Whether you have received risk assessment documents from the business or not, it is crucial for you to have a conversation with the business around the risk areas.  If there are risk areas which are not included in the written documents, you must establish whether the business has still identified and assessed these as risks. You should ask if there are any other records in writing which cover the risk areas which you may need to consider during your review of the risk assessment.

You must consider the following aspects of risk assessment and management alongside the policies, controls and procedures in place as these are directly linked:

• Is the business and customer profile information held or provided consistent with the business records and the practices observed during the visit?
• Has the senior management explained to you the ML/TF/PF risks that the business is exposed to?
• Has the business considered the information made available to them by HMRC such as sector specific guidance and the “Understanding risks and taking action” guidance published on GOV.UK?
• What are the indicators of higher-risk customers, locations, products, services, transactions, and delivery channels?
• Are relevant staff aware of the risks and appropriate procedures to follow?
• Are there any customers who could be politically exposed persons? If so, how are they identified?
• Are business relationships established with all or some of the customers?
• If so, how are the clients risk assessed and categorised when a business relationship is established? What criteria are used?
• When and how are risk assessments reviewed and updated?
• Is the approach to risk assessment and management appropriate in relation to the business’s structure?

You should also consider that failure to identify and assess risk areas may lead to further areas of non-compliance and weakness. For example, if you discover there is a risk area that the business has not identified or assessed, ask the business about this. It may be the case that failing to assess a significant risk leads to a systemic failure of the business as a whole. For example, if a business had not assessed a particular customer type as high risk and therefore did not conduct enhanced due diligence (EDD) on all transactions it should have.

If you have identified any breaches of MLR 2017, you should establish which specific subsection of regulation 18 and 18A has been breached. More information on where the breaches lie can be seen under the heading of “So where do we get the breaches?” within ECSH63381 Regulation 18 walk through guidance.