AML / CFT & Risk – Forced Marriage or Love Match?
The risk-based approach to AML / CFT is at the heart of European anti-money laundering legislation and regulation. Dominic Fisher, Head of Risk & Compliance (Advisory) at ARQ reviews the challenge of integrating AML risk concepts and enterprise wide risk management.
IS0 31000 defines risk as the ‘effect of uncertainty on objectives’. When you think about what that implies, every single organisation manages risks, whether or not it does so in a conscious and systematic way. However, regulation tends to act as a catalyst for improving organisational risk maturity. In the sphere of AML, the regulator has championed a risk-based approach, which has been supported by a range of mandatory requirements. Indeed, the latest Malta Implementing Procedures, which are binding on all subject persons, has a 33-page chapter on the ‘Risk-Based Approach’.
This Chapter includes detail on one of the most important of the risk-based requirements, which is to create and maintain a ‘business risk assessment’, in which organisations must identify and document their inherent money laundering (“ML”) risks – the interaction of external threats and internal vulnerabilities – and ensure that suitable mitigation measures are in place to counter
such weaknesses. Whilst the regulator is not prescriptive about the risk methodology which is deployed, it is quite clear about the risk factors and other information that is expected to be taken into account (e.g. national and supranational risk assessments) when compiling these assessments.
The resulting assessment document, which has to be reviewed and updated on at least an annual basis, must be approved by Boards of Directors or equivalent bodies, but co-ordination between the AML team and the enterprise should go well beyond mere document review.
Dovetailing AML & Risk
Unquestionably, money laundering risk has been moving up the corporate agenda and for many organisations will at least feature in the top five entity level risks. Even if they are not one of the very highest risks, a big lesson that the risk management profession learnt from the financial crisis was to give proper attention to the high impact, low probability risks, which can be show-stoppers. These can be labelled terminal risks and to find examples of ML risks resulting in corporate death one need only look at Malta’s banking sector.
Another important risk feature is the amplifying effect on ML risk of certain related risks. For example, heightened sectoral or jurisdictional risk can intensify the impact of an adverse AML event, as multiple black marks magnify difficulties. To harmonise AML risk management and enterprise risk management, a good place to start is with a risk appetite which should be owned at entity level and reflected in customer acceptance policies, which are often embedded within AML policies and procedures. In practice, organisational risk appetites are often silent or insufficiently detailed on AML risk appetite.
Another important challenge, that should not be overlooked is around risk terminology. Enterprise risk ratings or categories should be entity specific, and these don’t generally align with the
risk scales used in anti-money laundering terminology. When only the very most salient of entity level risks are deemed to be high, Board directors may be taken aback to discover that a large proportion of their customer relationships present ‘high’ inherent risk from an AML perspective.
Whilst the authorities have always had clear expectations on the positioning of the MLRO in terms of independence and standing, they are now taking a much more intrusive approach towards the
suitability of governance arrangements around matters related to AML, such as account closure committees and policy oversight arrangements. In conclusion, whether AML and risk’s union is a forced marriage or a love match, if you want to secure your organisation’s future, do try to make it work!
ARQ Group is the leading AML and anti-financial crime consultancy on the island. Our multi-disciplinary team also provides enterprise risk and governance services.