Legal development

ML /TF risk assessment: the cornerstone of an effective AML/CTF framework

06 August 2021

Share Share
Insight Hero Image
Share

    The foundation of an AML/CTF program

    The Anti‑Money Laundering and Counter‑Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and Anti‑Money Laundering and Counter‑Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) (AML/CTF Rules) require reporting entities to adopt an anti-money laundering/counter-terrorism financing (AML/CTF) program. Sections 8.1.4 and 9.1.4 of the AML/CTF Rules state that the primary purpose of Part A of the program is to identify, mitigate and manage money laundering and terrorism financing (ML/TF) risk. In identifying ML/TF risk, reporting entities must take into account the risk posed by:

    • its customer types;
    • the types of designated services (products) it provides;
    • the methods by which designated services are delivered (channels); and
    • the foreign jurisdictions it deals with.

    A reporting entity can identify and assess its level of ML/TF risk by conducting an ML/TF risk assessment. A comprehensive ML/TF risk assessment will assess both a reporting entity's inherent and residual ML/TF risk exposure. Inherent risk refers to the ML/TF risk present before a reporting entity applies controls and processes to mitigate its exposure. Residual risk is the remaining ML/TF risk after a reporting entity has applied controls and processes to reduce its ML/TF risk exposure.

    A robust ML/TF risk assessment is essential in providing a reporting entity with a thorough understanding of its ML/TF risk exposure so that its AML/CTF program and supporting policies, procedures, controls and systems are able to be designed and implemented commensurate to the level of ML/TF risk identified.

    A holistic view of ML/TF risk

    In considering the ML/TF risk posed by its customers, products, channels and jurisdictions (collectively "risk factors"), a reporting entity should ensure that it does not consider each risk factor solely in isolation. Instead, a reporting entity should also consider the risk posed by the risk factors collectively, by conducting an enterprise-wide risk assessment (EWRA). The objective of an EWRA is to provide a reporting entity with a holistic view of its ML/TF risk exposure.

    As illustrated below, an effective EWRA overlays and aggregates the results from the underlying risk assessments (customer, product, channel and jurisdiction) to identify enterprise-level insights and areas of concentrated ML/TF risk across business areas. 

    Figure 1: The interaction between the EWRA and the underlying ML/TF risk assessments

    Figure 1: The interaction between the EWRA and the underlying ML/TF risk assessments

     

    Enterprise-level ML/TF risk insights should be used to inform the design of a reporting entity's mitigating controls and downstream processes (for example the application of transaction monitoring rules to products assessed as high ML/TF risk).

    Maintaining ongoing oversight of ML/TF risk

    ML/TF risk assessments should not be conducted as a one-off exercise. Instead, ML/TF risk assessments should be conducted periodically to enable the ongoing oversight and management of ML/TF risk. When determining the assessment cycle in which ML/TF risk assessments are conducted, a reporting entity should take into account the size, nature and complexity of its business. Consideration should also be given to the time and resources required to perform the assessment.

    Given the continuously evolving AML/CTF landscape, reporting entities should keep abreast of updates that may give rise to the need for ML/TF risk assessments to be performed outside of its periodic assessment cycle, including:

    • New regulatory guidance: For example, the Financial Action Task Force (FATF)  recently added four jurisdictions (Haiti, Malta, Philippines, and South Sudan) to their list of Jurisdictions under increased monitoring;
    • Emerging ML/TF risk typologies: Typologies may be identified internally (e.g. through analysing transaction monitoring alerts and suspicious matter reporting data) or externally (e.g. through reviewing financial crime intelligence, knowledge shared within the industry and financial crime guides).  For example, the Australian Transaction Reports and Analysis Centre (AUSTRAC)'s recent financial crime guide to cuckoo smurfing outlines cuckoo smurfing-related typologies and financial indicators; 
    • Amendments to the AML/CTF Act and AML/CTF Rules: For example, the recent Anti-Money Laundering and Counter-Terrorism Financing Act 2020 (No.133) and the recent Anti-Money Laundering and Counter-Terrorism Financing Rules Amendment Instrument 2021 (No.1) introduced mandatory due diligence requirements that reporting entities are required to apply before entering into, and throughout, correspondent banking relationships. Prior to the reforms, reporting entities typically adopted a risk-based approach to determine the level of due diligence required to be performed on correspondent banking relationships, as noted in FATF's Mutual Evaluation Report for Australia. The new mandatory correspondent banking due diligence requirements enable deeper insights to be obtained regarding correspondent banking relationships which are able to be incorporated into an EWRA; and
    • Significant changes in the reporting entity's size, nature and complexity: For example, where there is a material change in the reporting entity's organisational structure, a change in the nature of its customer relationships, the introduction of new products and channels, the use of new technologies, or the expansion into foreign jurisdictions. 

    Widely publicised ML/TF risk assessment deficiencies

    Inadequate ML/TF risk assessments can result in poorly designed downstream processes and controls that do not appropriately mitigate a reporting entity's ML/TF risk exposure. Deficiencies in downstream processes and controls heighten the risk that a reporting entity may fail to meet its AML/CTF obligations and may unwittingly be exploited by criminals to facilitate ML/TF activity.

    Recent regulatory activity has highlighted the importance of comprehensive and robust ML/TF risk assessments. Persistent failings relating to the performance of effective ML/TF risk assessments have contributed to widely publicised AML/CTF compliance issues. Outlined below are some of the recent ML/TF risk assessment failures that have served as a precursor for regulatory scrutiny:

    • the application of generic ML/TF risk assessment methodologies which do not comprehensively identify and assess the ML/TF risks specific to the reporting entity's size, nature and complexity; 
    • a lack of reporting to senior management on the results of ML/TF risk assessments; 
    • a failure to adequately consider both new and existing ML/TF typologies in the design of a reporting entity's ML/TF risk assessment methodology; 
    • a failure to conduct ML/TF risk assessments prior to the introduction of new designated services and delivery methods; and
    • a failure to design and implement appropriate controls to manage customers assessed as high risk.

    Practical challenges in conducting ML/TF risk assessments

    Through our work supporting reporting entities in undertaking their ML/TF risk assessments, we have observed the following challenges when performing ML/TF risk assessments:

    • Planning and allocating resources: The performance of ML/TF risk assessments can be resource-intensive, particularly in gathering the required information from business stakeholders, systems and databases. Reporting entities may not have assigned dedicated resources, or key personnel may not have sufficient capacity, to conduct regular and comprehensive ML/TF risk assessments. In addition, the quality of ML/TF risk assessments may be impacted by short completion timeframes or other business priorities (e.g. business-as-usual activities or strategic initiatives).
    • Methodology design: Reporting entities may face difficulties developing an in-house ML/TF risk assessment methodology that provides a comprehensive and relevant view of its ML/TF risk exposure. Where "off-the-shelf" ML/TF risk assessment solutions are utilised, reporting entities should ensure they are able to demonstrate their understanding of the solutions' inputs, underlying methodology and outputs. 

      Moreover, an ML/TF risk assessment methodology should incorporate a combination of both quantitative and qualitative risk attributes to drive a more meaningful and holistic assessment of ML/TF risk.
    • Engaging key stakeholders: To ensure that an ML/TF risk assessment accurately captures business-specific ML/TF risk, a sufficient level of engagement with business stakeholders is required. However, there may be challenges in identifying stakeholders within each business area who have an appropriate level of knowledge across the risk factors. In addition, an insufficient level of AML/CTF knowledge within the business may impede the reporting entity's ability to truly understand the level of ML/TF risk present within its various business areas.
    • Data quality: Whilst the utilisation of quantitative data within an ML/TF risk assessment promotes an objective and consistent risk assessment approach, reporting entities face common challenges in gathering meaningful data that is reliable, accurate, complete and consistently available across the entire business. 
    • Controls assessment: After assessing the level of inherent ML/TF risk a reporting entity faces, the inclusion of a controls assessment within the risk assessment methodology allows reporting entities to determine their residual ML/TF risk exposure. However, incorporating a controls assessment may be difficult where controls are not maintained centrally or captured accurately. Furthermore, the absence of a control effectiveness assessment impedes a reporting entity's ability to meaningfully consider their control environment within the context of their ML/TF risk assessment. 
    • Enterprise-wide view: There may be significant challenges assessing ML/TF risk at an enterprise level, where the reporting entity has multiple business areas or operates across multiple jurisdictions. Understanding the nuances within each business area is essential in defining the scope of an ML/TF risk assessment. Conducting an EWRA may be complicated further by the reporting entity's size, nature and complexity, or if specific business areas conduct their own ML/TF risk assessments, utilising different methodologies. 
    • Timeliness: Determining the appropriate timing and frequency for the performance of an ML/TF risk assessment is a common challenge for reporting entities. The insights from ML/TF risk assessments need to be accurate and relevant to assist senior management to make informed decisions relating to ML/TF risk management. Therefore, the information and data utilised in ML/TF risk assessments should be current and reliable. In addition, the underlying risk assessments (customer, product, channel, and jurisdiction risk assessments) should be conducted prior to performing an EWRA, to ensure inputs used in the EWRA are accurate and current.

    Considerations for a reporting entity's ML/TF risk assessment

    In summary, the design and implementation of a robust ML/TF risk assessment enables a reporting entity to effectively identify, manage and mitigate its ML/TF risk exposure. The ML/TF risk assessment is a powerful diagnostic tool that allows a reporting entity to understand its ML/TF risk exposure, set its risk appetite and implement effective mitigating controls and downstream processes accordingly. 

    A failure to effectively conduct an ML/TF risk assessment may inhibit a reporting entity's ability to detect and disrupt ML/TF activity, thereby exposing the reporting entity to potential regulatory scrutiny, reputational damage and financial penalties.

    To address the issues and challenges involved in designing and executing an ML/TF risk assessment, reporting entities should consider: 

    • Resourcing and business priorities:
    • Does the reporting entity have an optimal resourcing mix and sufficient expertise dedicated to performing ML/TF risk assessments?
    • How are ML/TF risk assessments prioritised alongside business-as-usual activities?
    • Can external skillsets and additional expertise be sourced to supplement in-house capabilities?
    • Designing ML/TF risk assessments that are fit-for-purpose:
    • What information is readily available for inclusion within an ML/TF risk assessment, so that timely and relevant outputs can be obtained?
    • What uplift activities are required to develop a more meaningful and mature ML/TF risk assessment methodology?
    • Can the ML/TF risk assessment methodology be refined to incorporate real-time, data-driven inputs?
    • Ongoing ML/TF risk assessment maintenance and performance:
    • Is the ML/TF risk assessment methodology due for a periodic review?
    • Do recent updates in the AML/CTF landscape require the reporting entity to review its ML/TF risk assessment methodology or conduct an ML/TF risk assessment outside of its regular cycle?

    Author: Samantha Carroll, Partner; Kieran Francis, Director, Ashurst Risk Advisory; and Lauren Soon, Executive, Ashurst Risk Advisory.

     

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group. 

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst.  Some members of the Ashurst Group are limited liability entities.  
    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services. 
    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.

    This material is current as at 06 August 2021 but does not take into account any developments after that date. It is not intended to be a comprehensive review of all developments in the law or in practice, or to cover all aspects of those referred to, and does not constitute professional  advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts

    image

    Stay ahead with our business insights, updates and podcasts

    Sign-up to select your areas of interest

    Sign-up