ML/TF risk assessment: the cornerstone of an effective AML ...

The ML/TF risk assessment is a powerful diagnostic tool that allows a reporting entity to understand its ML/TF risk exposure, set its risk ... FinancialServicesUpdate 06Aug2021 ML/TFriskassessment:thecornerstoneofaneffectiveAML/CTFframework LegalUpdates CommonchallengesinperforminganML/TFriskassessment Download SHARE Facebook LinkedIn Mail Twitter CLOSE ThePDFserverisoffline.Pleasetryaftersometime. ThefoundationofanAML/CTFprogramTheAnti‑MoneyLaunderingandCounter‑TerrorismFinancingAct2006(Cth)(AML/CTFAct)andAnti‑MoneyLaunderingandCounter‑TerrorismFinancingRulesInstrument2007(No.1)(Cth)(AML/CTFRules)requirereportingentitiestoadoptananti-moneylaundering/counter-terrorismfinancing(AML/CTF)program.Sections8.1.4and9.1.4oftheAML/CTFRulesstatethattheprimarypurposeofPartAoftheprogramistoidentify,mitigateandmanagemoneylaunderingandterrorismfinancing(ML/TF)risk.InidentifyingML/TFrisk,reportingentitiesmusttakeintoaccounttheriskposedby:itscustomertypes;thetypesofdesignatedservices(products)itprovides;themethodsbywhichdesignatedservicesaredelivered(channels);andtheforeignjurisdictionsitdealswith.AreportingentitycanidentifyandassessitslevelofML/TFriskbyconductinganML/TFriskassessment.AcomprehensiveML/TFriskassessmentwillassessbothareportingentity'sinherentandresidualML/TFriskexposure.InherentriskreferstotheML/TFriskpresentbeforeareportingentityappliescontrolsandprocessestomitigateitsexposure.ResidualriskistheremainingML/TFriskafterareportingentityhasappliedcontrolsandprocessestoreduceitsML/TFriskexposure.ArobustML/TFriskassessmentisessentialinprovidingareportingentitywithathoroughunderstandingofitsML/TFriskexposuresothatitsAML/CTFprogramandsupportingpolicies,procedures,controlsandsystemsareabletobedesignedandimplementedcommensuratetothelevelofML/TFriskidentified.AholisticviewofML/TFriskInconsideringtheML/TFriskposedbyitscustomers,products,channelsandjurisdictions(collectively"riskfactors"),areportingentityshouldensurethatitdoesnotconsidereachriskfactorsolelyinisolation.Instead,areportingentityshouldalsoconsidertheriskposedbytheriskfactorscollectively,byconductinganenterprise-wideriskassessment(EWRA).TheobjectiveofanEWRAistoprovideareportingentitywithaholisticviewofitsML/TFriskexposure.Asillustratedbelow,aneffectiveEWRAoverlaysandaggregatestheresultsfromtheunderlyingriskassessments(customer,product,channelandjurisdiction)toidentifyenterprise-levelinsightsandareasofconcentratedML/TFriskacrossbusinessareas. Enterprise-levelML/TFriskinsightsshouldbeusedtoinformthedesignofareportingentity'smitigatingcontrolsanddownstreamprocesses(forexampletheapplicationoftransactionmonitoringrulestoproductsassessedashighML/TFrisk).MaintainingongoingoversightofML/TFriskML/TFriskassessmentsshouldnotbeconductedasaone-offexercise.Instead,ML/TFriskassessmentsshouldbeconductedperiodicallytoenabletheongoingoversightandmanagementofML/TFrisk.WhendeterminingtheassessmentcycleinwhichML/TFriskassessmentsareconducted,areportingentityshouldtakeintoaccountthesize,natureandcomplexityofitsbusiness.Considerationshouldalsobegiventothetimeandresourcesrequiredtoperformtheassessment.GiventhecontinuouslyevolvingAML/CTFlandscape,reportingentitiesshouldkeepabreastofupdatesthatmaygiverisetotheneedforML/TFriskassessmentstobeperformedoutsideofitsperiodicassessmentcycle,including:Newregulatoryguidance:Forexample,theFinancialActionTaskForce(FATF) recentlyaddedfourjurisdictions(Haiti,Malta,Philippines,andSouthSudan)totheirlistofJurisdictionsunderincreasedmonitoring;EmergingML/TFrisktypologies:Typologiesmaybeidentifiedinternally(e.g.throughanalysingtransactionmonitoringalertsandsuspiciousmatterreportingdata)orexternally(e.g.throughreviewingfinancialcrimeintelligence,knowledgesharedwithintheindustryandfinancialcrimeguides). Forexample,theAustralianTransactionReportsandAnalysisCentre(AUSTRAC)'srecentfinancialcrimeguidetocuckoosmurfingoutlinescuckoosmurfing-relatedtypologiesandfinancialindicators; AmendmentstotheAML/CTFActandAML/CTFRules:Forexample,therecentAnti-MoneyLaunderingandCounter-TerrorismFinancingAct2020(No.133)andtherecentAnti-MoneyLaunderingandCounter-TerrorismFinancingRulesAmendmentInstrument2021(No.1)introducedmandatoryduediligencerequirementsthatreportingentitiesarerequiredtoapplybeforeenteringinto,andthroughout,correspondentbankingrelationships.Priortothereforms,reportingentitiestypicallyadoptedarisk-basedapproachtodeterminethelevelofduediligencerequiredtobeperformedoncorrespondentbankingrelationships,asnotedinFATF'sMutualEvaluationReportforAustralia.ThenewmandatorycorrespondentbankingduediligencerequirementsenabledeeperinsightstobeobtainedregardingcorrespondentbankingrelationshipswhichareabletobeincorporatedintoanEWRA;andSignificantchangesinthereportingentity'ssize,natureandcomplexity:Forexample,wherethereisamaterialchangeinthereportingentity'sorganisationalstructure,achangeinthenatureofitscustomerrelationships,theintroductionofnewproductsandchannels,theuseofnewtechnologies,ortheexpansionintoforeignjurisdictions. WidelypublicisedML/TFriskassessmentdeficienciesInadequateML/TFriskassessmentscanresultinpoorlydesigneddownstreamprocessesandcontrolsthatdonotappropriatelymitigateareportingentity'sML/TFriskexposure.DeficienciesindownstreamprocessesandcontrolsheightentheriskthatareportingentitymayfailtomeetitsAML/CTFobligationsandmayunwittinglybeexploitedbycriminalstofacilitateML/TFactivity.RecentregulatoryactivityhashighlightedtheimportanceofcomprehensiveandrobustML/TFriskassessments.PersistentfailingsrelatingtotheperformanceofeffectiveML/TFriskassessmentshavecontributedtowidelypublicisedAML/CTFcomplianceissues.OutlinedbelowaresomeoftherecentML/TFriskassessmentfailuresthathaveservedasaprecursorforregulatoryscrutiny:theapplicationofgenericML/TFriskassessmentmethodologieswhichdonotcomprehensivelyidentifyandassesstheML/TFrisksspecifictothereportingentity'ssize,natureandcomplexity; alackofreportingtoseniormanagementontheresultsofML/TFriskassessments; afailuretoadequatelyconsiderbothnewandexistingML/TFtypologiesinthedesignofareportingentity'sML/TFriskassessmentmethodology; afailuretoconductML/TFriskassessmentspriortotheintroductionofnewdesignatedservicesanddeliverymethods;andafailuretodesignandimplementappropriatecontrolstomanagecustomersassessedashighrisk.PracticalchallengesinconductingML/TFriskassessmentsThroughourworksupportingreportingentitiesinundertakingtheirML/TFriskassessments,wehaveobservedthefollowingchallengeswhenperformingML/TFriskassessments:Planningandallocatingresources:TheperformanceofML/TFriskassessmentscanberesource-intensive,particularlyingatheringtherequiredinformationfrombusinessstakeholders,systemsanddatabases.Reportingentitiesmaynothaveassigneddedicatedresources,orkeypersonnelmaynothavesufficientcapacity,toconductregularandcomprehensiveML/TFriskassessments.Inaddition,thequalityofML/TFriskassessmentsmaybeimpactedbyshortcompletiontimeframesorotherbusinesspriorities(e.g.business-as-usualactivitiesorstrategicinitiatives).Methodologydesign:Reportingentitiesmayfacedifficultiesdevelopinganin-houseML/TFriskassessmentmethodologythatprovidesacomprehensiveandrelevantviewofitsML/TFriskexposure.Where"off-the-shelf"ML/TFriskassessmentsolutionsareutilised,reportingentitiesshouldensuretheyareabletodemonstratetheirunderstandingofthesolutions'inputs,underlyingmethodologyandoutputs. Moreover,anML/TFriskassessmentmethodologyshouldincorporateacombinationofbothquantitativeandqualitativeriskattributestodriveamoremeaningfulandholisticassessmentofML/TFrisk.Engagingkeystakeholders:ToensurethatanML/TFriskassessmentaccuratelycapturesbusiness-specificML/TFrisk,asufficientlevelofengagementwithbusinessstakeholdersisrequired.However,theremaybechallengesinidentifyingstakeholderswithineachbusinessareawhohaveanappropriatelevelofknowledgeacrosstheriskfactors.Inaddition,aninsufficientlevelofAML/CTFknowledgewithinthebusinessmayimpedethereportingentity'sabilitytotrulyunderstandthelevelofML/TFriskpresentwithinitsvariousbusinessareas.Dataquality:WhilsttheutilisationofquantitativedatawithinanML/TFriskassessmentpromotesanobjectiveandconsistentriskassessmentapproach,reportingentitiesfacecommonchallengesingatheringmeaningfuldatathatisreliable,accurate,completeandconsistentlyavailableacrosstheentirebusiness. Controlsassessment:AfterassessingthelevelofinherentML/TFriskareportingentityfaces,theinclusionofacontrolsassessmentwithintheriskassessmentmethodologyallowsreportingentitiestodeterminetheirresidualML/TFriskexposure.However,incorporatingacontrolsassessmentmaybedifficultwherecontrolsarenotmaintainedcentrallyorcapturedaccurately.Furthermore,theabsenceofacontroleffectivenessassessmentimpedesareportingentity'sabilitytomeaningfullyconsidertheircontrolenvironmentwithinthecontextoftheirML/TFriskassessment. Enterprise-wideview:TheremaybesignificantchallengesassessingML/TFriskatanenterpriselevel,wherethereportingentityhasmultiplebusinessareasoroperatesacrossmultiplejurisdictions.UnderstandingthenuanceswithineachbusinessareaisessentialindefiningthescopeofanML/TFriskassessment.ConductinganEWRAmaybecomplicatedfurtherbythereportingentity'ssize,natureandcomplexity,orifspecificbusinessareasconducttheirownML/TFriskassessments,utilisingdifferentmethodologies. Timeliness:DeterminingtheappropriatetimingandfrequencyfortheperformanceofanML/TFriskassessmentisacommonchallengeforreportingentities.TheinsightsfromML/TFriskassessmentsneedtobeaccurateandrelevanttoassistseniormanagementtomakeinformeddecisionsrelatingtoML/TFriskmanagement.Therefore,theinformationanddatautilisedinML/TFriskassessmentsshouldbecurrentandreliable.Inaddition,theunderlyingriskassessments(customer,product,channel,andjurisdictionriskassessments)shouldbeconductedpriortoperforminganEWRA,toensureinputsusedintheEWRAareaccurateandcurrent.Considerationsforareportingentity'sML/TFriskassessmentInsummary,thedesignandimplementationofarobustML/TFriskassessmentenablesareportingentitytoeffectivelyidentify,manageandmitigateitsML/TFriskexposure.TheML/TFriskassessmentisapowerfuldiagnostictoolthatallowsareportingentitytounderstanditsML/TFriskexposure,setitsriskappetiteandimplementeffectivemitigatingcontrolsanddownstreamprocessesaccordingly. AfailuretoeffectivelyconductanML/TFriskassessmentmayinhibitareportingentity'sabilitytodetectanddisruptML/TFactivity,therebyexposingthereportingentitytopotentialregulatoryscrutiny,reputationaldamageandfinancialpenalties.ToaddresstheissuesandchallengesinvolvedindesigningandexecutinganML/TFriskassessment,reportingentitiesshouldconsider: Resourcingandbusinesspriorities: DoesthereportingentityhaveanoptimalresourcingmixandsufficientexpertisededicatedtoperformingML/TFriskassessments?HowareML/TFriskassessmentsprioritisedalongsidebusiness-as-usualactivities? Canexternalskillsetsandadditionalexpertisebesourcedtosupplementin-housecapabilities?DesigningML/TFriskassessmentsthatarefit-for-purpose: WhatinformationisreadilyavailableforinclusionwithinanML/TFriskassessment,sothattimelyandrelevantoutputscanbeobtained?WhatupliftactivitiesarerequiredtodevelopamoremeaningfulandmatureML/TFriskassessmentmethodology? CantheML/TFriskassessmentmethodologyberefinedtoincorporatereal-time,data-driveninputs?OngoingML/TFriskassessmentmaintenanceandperformance: IstheML/TFriskassessmentmethodologydueforaperiodicreview? DorecentupdatesintheAML/CTFlandscaperequirethereportingentitytoreviewitsML/TFriskassessmentmethodologyorconductanML/TFriskassessmentoutsideofitsregularcycle?  Author: TimBrookes,Director,RiskAdvisory;BrienCoram,Director,RiskAdvisory;TanyaRaitsina,Director,RiskAdvisory andSamanthaCarroll,CounselAshurstRiskAdvisoryPtyLtd(ABN74996309133)provideservicesundertheAshurstConsultingbrandandarepartoftheAshurstGroup.AshurstConsultingservicesdonotconstitutelegalservicesorlegaladvice,andarenotprovidedbyAustralianlegalpractitioners.Thelawsandregulationswhichgoverntheprovisionoflegalservicesintherelevantjurisdictiondonotapplytotheprovisionofnon-legalservices.FormoreinformationabouttheAshurstGroupandtheservicesoffered,pleasevisitwww.ashurst.com.    KeyContacts Webringtogetherlawyersofthehighestcalibrewiththetechnicalknowledge,industryexperienceandregionalknow-howtoprovidetheincisiveadviceourclientsneed. JonathanGordon Partner Sydney +61292586186 [email protected] VIEWPROFILE PhilipTrinca Partner Melbourne +61396793258 [email protected] VIEWPROFILE SamanthaCarroll Partner-Elect Brisbane +61732597549 [email protected] VIEWPROFILE BrienCoram Director,RiskAdvisory Sydney +61292586236 [email protected] VIEWPROFILE Keepuptodate Signuptoreceivethelatestlegaldevelopments,insightsandnewsfromAshurst. Bysigningup,youagreetoreceivecommercialmessagesfromus. Youmayunsubscribeatanytime.Signup Theinformationprovidedisnotintendedtobeacomprehensivereviewofalldevelopmentsinthelawandpractice,ortocoverallaspectsofthosereferredto.Readersshouldtakelegaladvicebeforeapplyingittospecificissuesortransactions. Wevalueyourprivacy Weusecookiestoimproveyourexperienceonourwebsite.Bycontinuingtouseourwebsite,weunderstandthatyouarehappyforustodothis.Formoreinformationonhowweusecookies,orhowtochangeyourbrowsersettings,pleaseseeourCookiePolicy. REJECT ACCEPT MyDocuments Materialpersonallyselectedbyyourrelationshipmanagerforyourinterest. MyBookmarks Accessallofthecontentthatyouhavepreviouslyselectedtobookmark. Getstarted ​ScrollthroughtheseslidestoaccessthepersonalisedfeaturesofyourDashboard. MySuggestedReading Avirtuallibraryofregularlypostedinsightsandlegalupdatesbasedonyourselectedpreferences. Next GetStarted X Clicktoexplore WORLDMAP REGION OFFICE Explore ForgotPassword-AshurstAccount Ifyouhaveforgottenyourpassword,youcanrequestanewonehere. EMAILADDRESS SUBMIT Login USERNAME PASSWORD LOGIN Forgotpassword? Pleasecontactyourrelationshipmanagertofindoutmoreaboutourclientportal.