In light of the BSA’s and 2017 Regulations’ risk-based approach to the construction of an AML compliance program, a financial institution (in the US) or regulated firm (in the UK) must conduct a comprehensive risk assessment of its vulnerability to money laundering before designing the program.
At a high-level, risk factors that must be analyzed generally include, but are not limited to:
- the level of risk inherent in products and services provided by the financial institution;
- the customer base served by the financial institution, including the type of customers (individuals, institutions, financial institutions, or private funds) and their geographic location(s);
- the geographic location of the financial institution’s transactions and operations;
- the delivery channels used by the financial institution; and
- the controls imposed by the financial institution at the business and legal entity level (e.g., other policies and procedures, transaction monitoring capabilities, management oversight, and quality of training).
The US Federal Financial Institutions Examination Council (FFIEC), a federal interagency body of banking regulators, provides guidance on conducting risk assessments in the BSA/AML Examination Manual, available here. FFIEC does not prescribe a particular risk assessment method. Instead, bank management is tasked with deciding the format based on its risk profile and in a way that can be easily understood by all appropriate parties. According to FFIEC, after examining the above-listed risk factors, a written risk assessment should provide a comprehensive analysis of the AML risks in a concise and organized presentation shared with all business lines, the board of directors, management, and appropriate staff. The AML compliance program should be structured to address the risk profile thus identified by developing appropriate policies, procedures, and processes to monitor and control the bank’s AML risks.
In the UK, a regulated firm’s risk assessment must also take into account any information made available to it by the corresponding supervisory authority. Regulated firms must keep an “up-to-date record in writing” of all steps taken in the risk assessment. The supervisory authority may exempt the firm from this requirement if the authority decides the risks applicable to the sector in question are “clear and understood.” If requested by the supervisory authority, a firm must provide to the supervisory authority the risk assessment, supporting documentation, and written record referred to above.1
1 The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, SI 2017/692, art. 18 (UK).