Risk Assessment

In October, AUSTRAC announced the updated guidance for money laundering and terrorism financing (ML/TF) risk assessment. Whether you need to do your first risk assessment or review it, this post will help you navigate the new AUSTRAC guidance.

Risk Areas

As you understand your business the best, you are better placed to assess your ML/TF risks. Such assessment should serve as the foundation of your AML/CTF program. When you offer a designated service, you should consider:

• Customer types, especially if some are politically exposed persons.

• Services offered, with some services naturally presenting higher risks than others.

• Delivery methods, for example, in person, or online.

• Foreign jurisdictions, you operate or do business in.

For a comprehensive risk assessment, you should also consider the nature, size and complexity of your business overall (e.g., number of branches, staff, agents and so on).

Inherent Risks and Controls

You should assess your inherent ML/TF risks, where inherent risk means the level of ML/TF risks before you apply any system and controls to reduce such risk. To do so, you should develop an appropriate risk assessment methodology that includes a way to measure the likelihood and impact of ML/TF risks. Likelihood is the possibility of a potential risk occurring. Impact is the expected harm or adverse effect that may occur due to exposure to such risk.

AUSTRAC suggests considering a three-level risk scale (low, medium and high) to assess your risks. In the light of that, a good way to visualise likelihood and impact is with the following matrix:

To mitigate your inherent risks, you may apply either:

• preventive controls - things like setting transaction thresholds that limit the use of your products in a way that would increase ML/TF risks; or

• detective controls - things like gathering information on products and channels used.

AUSTRAC considers that if you use only detective controls and no preventive controls, you may not be able to adequately mitigate your inherent ML/TF risks.

Both your risk assessment and your controls need to be documented in writing.

Guidelines

The risk assessment guidance published by AUSTRAC states that in developing your risk assessment, you should consider AUSTRAC’s guidelines, which include:

• National risk assessments 

• Sector-based risk assessments 

• Financial crime guides and threat alerts 

• Sector-specific guidance pages for your industry 

• Typology and case studies reports 

Ongoing Risk Assessment and Review

You must regularly update your risk assessment to account for new services, new delivery methods, new technologies, new jurisdictional exposures, and changes in customer circumstances – such as shifts in ownership or control structures, or changes in the business relationship with you. Finally, you should also consider external changes in your ML/TF risks, e.g., new trends. 

What’s next

Whether you need to write your ML/FT risk assessment from scratch, or you need to review your current one, we can help. Get in touch for a chat.