ON THE 17 September 2014The GFSC have issued a FAQ to answer the following question
• What is a Business Risk Assessment?
Introduction
1. Regulation 3 of the AML/CFT Regulations requires a business to carry out and document a suitable and sufficient business risk assessment (“BRA”).
2. A BRA is an important tool used to identify, assess and decide how a business will mitigate its risk exposure to the particular types of financial crime risks to which it could be exposed.
3. Other benefits gained from performing a BRA are listed in Chapter 3 of the AML/CFT Handbooks.
4. The term “financial crime” is used in this guidance to describe money laundering, terrorist financing, corruption and bribery, and such other predicate offences as are listed in Chapter 1 of the Handbooks.
Identification of Financial Crime Risks
1. The first step to undertaking a BRA is in determining the potential financial crime risks to which the business could be exposed.
2. In order to be considered “suitable”, the BRA must document consideration of the financial crime risks that are specific to its own business activities. The contents of the BRA should reflect an informed consideration of these risks.
3. A BRA will not be considered “sufficient” where it identifies generic risks such as “there is a risk that our products could be used to finance terrorism” or “the proceeds we receive may have been derived from bribery and corruption”. A BRA will also not be considered suitable where it appears to list all possible forms of financial crime risks, regardless of their relevance or likelihood of occurrence, to the business.
4. A business must ask itself, “what is the threat of our business being used for financial crime?” For example:
Q: What risk is posed by the target/actual customer base, taking into account:
The proportion which comprises of high net worth individuals and politically exposed persons,
The geographic origin of customers, and where applicable, their controllers and beneficial owners,
The proportion which will comprise of ongoing non face-to-face relationships, where reliance will be placed on third parties to verify customer identity (i.e. certifiers, introducers); and
The complexity of customer structures and legal arrangements.
Sources of Information
1. There are a number of different sources of information about the financial crime risks relating to particular types of business activities, products, services, customers, transactions, delivery channels etc. Examples of some useful sources are listed at the end of this guidance.
2. Industry sectors will have inherent and/or generic risk factors and these will need to be referenced.
3. Additionally, individual entities will also have risk factors particular to that entity which will need to be referenced in their BRA.
4. A BRA should not contain unsubstantiated, highly generalised references to risk faced by the business.
5. For example, a reference to all business being low risk would not be acceptable unless it was backed up with sufficient information as to how this assessment had been made.
Consider Risk “In the Round”
1. Before moving to the next step, a business should step back and consider its “risk in the round”.
2. A business should not only consider each of the financial crime risks individually, but also whether their concurrent or confluent effect on one another, might raise its overall risk exposure.
Other operational factors may increase the overall level of risk.
These include but are not limited to:
1. The outsourcing of financial crime controls or other regulatory requirements to an external third party or a member of the group of companies to which the business belongs; or
2. The use of on-line or web-based services and cybercrime risks which may be associated with those service offerings.
Assess & Mitigate the Financial Crime Risks
1. Having identified the financial crime risks, the business must then assess those risks and consider how they will be mitigated by the business.
2. These measures may, for example, include:
a) Varying CDD procedures appropriate to the assessed financial crime risks for certain customers,
b) Requiring the quality of verification evidence – documentary/electronic/third party – to be of a certain standard,
c) Allocating additional resources to allow for enhanced monitoring measures to be applied,
d) Applying oversight measures and reporting requirements to third parties to whom compliance functions have been outsourced,
e) Requiring review by the compliance function and approval by senior management to the take-on of new relationships; or
f) Limit the acceptance of certain high risk business to a particular threshold, relative to the overall customer base of the business.
g) Each measure should be designed to address the identified risks. While a short summary of the specific measure to be applied may be suitable, it will not be sufficient for a business to record a generalised statement such as, “the business has policies and procedures in place to mitigate this risk”.
Responsibility for the Assessment
a) The Board and senior management of any business are responsible for managing the business effectively. They are in the best position to evaluate all potential risks including financial crime risks.
b) The rules in chapter 2 of the Handbooks in relation to corporate governance make it clear that the Board has effective responsibility for compliance with the Regulations and the Handbook and therefore it must take ownership of and responsibility for the preparation and review of the BRA.
c) Businesses should also be alive to the Commission’s FAQ on reliance on third parties, particularly where a third party is asked to prepare the BRA, which can also be found on this webpage.
Format of the Assessment
a) The format of an assessment is a matter to be decided by the business. Of critical importance is that the BRA is documented and records the assessment undertaken.
b) The date on the assessment should be the day on which the BRA was reviewed and approved by the Board.
c) Tracked versions of a BRA should not be submitted when requested by the Commission as part of a pre-onsite visit unless it has been reviewed and approved by the Board, or equivalent, of the business.
d) Businesses are strongly discouraged from copying the assessment prepared by another business, or using an “off the shelf” assessment which pre-identifies suggested financial crime risks. It has been observed that businesses who do so frequently fail to accurately identify the financial crime risks specific to their business and adopt policies, procedures and controls that are either ill-suited or fail to mitigate their financial crime risks.
What should the BRA not contain?
a) The BRA should not simply be a cut and paste version of the relevant sections of the Handbook.
b) The BRA should not be a generic document which has simply been populated with general information.
c) It should not be a mix of ML/FT and prudential risk. If the business wishes to combine the assessment of ML/FT and prudential risk in one document there needs to be a clear division between the two assessments.
Loading...