Firm-wide risk assessments

‍

Compliance with the legislation

The need for a FWRA comes from MLR 2017 (regulation 18), which requires that certain factors must be considered. A firm must ‘identify and assess the risks of money laundering and terrorist financing to which its business is subject’. Your risk assessment must take into account the size of the firm and the nature of its business. It must be kept up-to-date and clearly documented. MLR 2017 specifies that you must take into account relevant information made available by your supervisory authority, and any risk factors relating to:

• the firm’s clients,
• the countries in which the firm operates,
• the services it is willing to provide,
• the transactions it is likely to undertake, and
• the ways in which the firm delivers its services (its ‘delivery channels’).

What do we mean by AML risk?

It is important to be clear what we mean when we refer to AML risk, so that we can focus our efforts on achieving the necessary outcomes. Anti-Money Laundering, Counter-Terrorist and Counter-Proliferation Financing Guidance for the Accountancy Sector (AMLGAS) uses the term ‘risk-based’ throughout, but doesn’t say what ‘risk’ means in the context of AML compliance. (Yet supervisory authorities will take into account whether firms have applied AMLGAS.)

The UK’s 2020 National Risk Assessment of money laundering and terrorist financing sets the scene when it states:

‘Overall, the risk of money laundering through [accountancy firms] remains high. The risk is highest when [firms] do not fully understand the money laundering risks and do not implement appropriate risk-based controls …’

The Financial Action Task Force (FATF) noted, in 2018, that smaller firms are generally of higher risk, due largely to a lack of resources. That lack of resources includes inadequate training and, to some extent, a lack of understanding.

A risk-based approach requires us to understand money laundering risks, terrorist financing risks and proliferation financing risks. A risk that is easy to understand is the risk that an individual or a firm may, unwittingly, play a part in a transaction that moves the proceeds of crime. In practice, this is unlikely unless the firm operates a client bank account, in which case you must be able to understand the legitimate reason for a client wanting or needing to use that account.

But there is also a risk that a firm may unwittingly breach POCA section 327 (concealing or disguising criminal property) or section 328 (arrangements that facilitate money laundering). So a firm must be alert to the risks of being exploited in these ways.

We are expected to know our clients well – so that we can serve them well. So we are also expected to notice things that are unusual and that might even arouse our suspicion. So in addition to the risk that a firm may be exploited in facilitating or concealing money laundering, there is also a risk that it may fail to identify possible money laundering, which would include failure to identify the proceeds of crime.

To look at AML risk a slightly different way, there are risks that the proceeds of crime may go unnoticed – a risk to the public – and there are risks to the firm. The latter come in the form of reputational risk in respect of the firm’s noncompliance, and the risk that action by the firm’s supervisory authority will lead to robust sanctions against the firm and significant costs of remediation. If the firm manages the risk to the public appropriately, it will also be managing the risks to the firm itself.

Client Risk

The assessment of AML risk relating to each individual client is part of the client due diligence process. But the FWRA is relevant to all client risk assessments, as it is the context within which all client risk assessments are performed. While each client is unique, and each client risk assessment must respond to that uniqueness, a firm’s clients can also be considered collectively as part of the FWRA.

‍

At the firmwide level, the risk assessment should consider whether the firm specialises in certain industries (in sectors favoured by money launderers, or that present a risk in respect of terrorist financing or proliferation financing). Certain sectors, such as the cryptocurrency sector, are more exposed to risk of money laundering and terrorist financing. The firm should also consider where any overseas clients and their owners are based, and whether any clients sit within complex group structures, or are likely to have connections with politically exposed persons (PEPs). Considering these factors across the firm will alert relevant employees to the risks in respect of individual clients, and the firm will be able to plan relevant training to help ensure client risks are mitigated effectively.

Geographic Risk 

Firms must carefully consider all the countries and regions overseas where their clients operate to assess the firm’s risk exposure in respect of clients in those areas. Clients in jurisdictions identified by the FATF as “high-risk third countries” require enhanced scrutiny (i.e. enhanced due diligence) and more rigorous ongoing monitoring. A “high-risk third country” is named on one of the lists published by the FATF, namely the list of high-risk jurisdictions subject to a call for action, or the list of jurisdictions under increased monitoring.

Being aware of international sanctions and embargoes is also an important element of assessing risk relating to a firm’s clients and where they are based. When a client is part of a supply chain involving cross-border transactions, there may be a risk of sanctions breaches, and the controls designed to mitigate such risks will include research and training to maintain awareness of high-risk third countries and evolving sanctions.

Services and Transactions Risk

The services your firm is willing to provide and the transactions it is likely to undertake must form part of your FWRA. Your risk assessment must consider how easily a service could be exploited for money laundering, including the degree of anonymity it provides to clients or the respectability and credibility the firm’s involvement might attribute to a client and their operations. By understanding the money laundering risks relating to each service, you can develop policies, controls to apply whenever such services are being delivered.

Your FWRA must be prepared taking into account relevant information made available by the firm’s supervisory authority, which must, in turn, take account of the National Risk Assessment (NRA) prepared by the Government. The NRA has identified as higher risk the services of:

• payroll,
• trust or company services (as defined in regulation 12(2) of MLR 2017), and
• mainstream accounting services

The last of these concerns a risk that the firm inadvertently helps to conceal false accounting by creating incorrect bookkeeping records or producing false documents (such as a set of accounts).

The impact of transactions undertaken by the firm on its FWRA will largely depend on whether the firm is willing to handle clients’ money. Given the strict regulations of most of the professional bodies covering this area, many firms decide that they will not, under any circumstances, hold clients’ money. It may be useful to have a formal written policy to that effect as a clear mitigation of money laundering risk.

Delivery of the Firm’s Services

In the context of an accountancy practice, the risk relating to the delivery of its services concerns the firm’s proximity to its clients. For example, if the firm was expected to deliver its services through an intermediary, you would have to be sure that you understand the reason for this, and that you can perform the client due diligence effectively. More generally, it is common these days for firms to interact with clients online, and there might be a reluctance to slow things down by requiring a face-to-face meeting with the client before (or during) the delivery of the accountancy services. It is advisable to establish a policy of how the firm’s business will usually be conducted with clients, and to build in safeguards to ensure an effective relationship with every client. Once that policy is documented and understood, it will form a basis for this component of your FWRA.

Documentation Requirements 

It is a specific requirement of MLR 2017 that the firm keeps its FWRA up-to-date and that the FWRA is documented, including the steps taken to arrive at the overall assessment. This is particularly important because MLR 2017 goes on to say that the firm must provide its FWRA to its supervisory authority if requested to do so.

Some professional body supervisors (PBSs) ask firms to submit their FWRAs annually, and the PBS may then use it as a basis for determining which firms to monitor more closely over the following months. So it is useful if your FWRA shows the steps taken to address any firmwide risks. Your FWRA should be undertaken diligently, so that your supervisory authority has a reasonable level of confidence in your firm’s compliance. Simply assuming that the firmwide money laundering risk is low (or manipulating it to be perceived as low) will not provide the protection from the supervisor that you might imagine.

Regular reviews of the FWRA are required to ensure it remains current. This will usually be at the time of performing an annual AML compliance review (which should be tailored to the size and nature of the firm). Not only should the FWRA be available to your supervisory authority, but it should always be readily available to the appropriate staff while maintaining strict security measures. This comprehensive approach supports your firm in effectively managing its AML responsibilities.

Ongoing Monitoring and Updates

Regular reviews of your FWRA are important, but it must also be revised whenever relevant business changes occur. Likewise, the impact of the findings of supervisory reviews and internal compliance reviews, employee feedback, etc on your FWRA should be systematically considered, as should any new regulatory requirements. By regularly integrating these updates, your FWRA remains current, comprehensive, and aligned with evolving business and compliance environments.

Conclusion 

A comprehensive FWRA is an essential element of a firm’s proportionate and risk-based approach to combating money laundering, terrorist financing and proliferation financing. Of course, an effective FWRA also serves as a protection for the firm in that it demonstrates AML compliance to its supervisory authority. The assessment process demands regular updates, thorough documentation, and systematic evaluation of the impact of changes and discoveries within the firm and the environment in which it operates. You should ensure that your up-to-date FWRA is put to good use, and that all relevant employees know where to access it and are made aware each time it is updated.

‍