MLR3C8250 - Compliance visit tests: Checking risk assessment and management

Risk-assessment is the process that businesses use to identify the risks that the business is exposed to and determine the extent of customer due diligence measures and transaction monitoring that must be applied to adequately mitigate the risks.

MLR 2007 regulations 7(3)(a) and 8(3) on customer due diligence and ongoing monitoring of business relationships require that these measures be applied “on a risk-sensitive basis” depending on the type of customer, business relationship, product or transaction.

Further information on risk-assessment and management can be found in section 6 of MLR8

How risk-assessment is carried out will differ between businesses according to their size, structure, business activities and organisation.

From businesses with a number of premises and staff or agents you would ideally expect to see a written policy statement from senior management which describes the risk-profile for the business and it customers; explains the criteria that are used to risk-assess customers and transactions; and sets out the procedures and measures that are applied to mitigate the risks to the business of being involved in money laundering or terrorist activity, including management and individual employee responsibilities.

However, you will find that many smaller businesses with few or no employees to communicate to do not have a policy statement and do not formally document their risk-assessment policies and procedures. This may be acceptable if the managers of the business can demonstrate that the procedures and processes they have put in place effectively identify and monitor higher-risk customers and transactions and that appropriate checks are carried out in accordance with the regulations and guidance relating to customer due diligence, enhanced due diligence and ongoing monitoring

In many cases you will have to establish the business’s policies and procedures through interviewing the business owner or NO.

Compliance officers must use judgement to evaluate if the business has got it right or if there are weaknesses in the risk identification and management systems and controls that could result in a significant risk of money laundering or terrorist financing activity taking place.

The compliance objective is to evaluate if the risk-assessment and management procedures are appropriate and effective in identifying risks and directing the business’s AML controls to successfully mitigate them.

Officers will need to consider the information provided by the business together with any risk information held by HMRC.

Officers should also consider the following aspects of risk-assessment and management:

  • Is the business and customer profile information held or provided consistent with the business records and the practices observed during the visit?
  • Has the senior management explained the money laundering or terrorist financing risks that the business is exposed to?
  • What are the indicators of higher-risk customers, products and transactions?
  • Are, relevant staff aware of the risks and appropriate procedures to follow?
  • Are higher-risk customers and transactions subjected to enhanced levels of customer due diligence and monitoring?
  • Are business relationships established with all or some of the customers?
  • If so, how is risk assessed and categorised when a business relationship is established? What criteria are used?
  • What customer monitoring arrangements are put in place?
  • How are higher-risk transactions recognised and subjected to the appropriate level of scrutiny?
  • (For MSBs and HVDs) is there a system to identify transactions that have been split into smaller amounts below the threshold for verification of the customer’s identity?
  • (For MSBs and HVDs) is there a system to identify and scrutinise unusual patterns of transactions which have no apparent economic or visible lawful purpose.
  • Are there any customers who could be politically exposed persons? If so, how are they identified?
  • In what circumstances, if any, are sanctions lists checked?
  • How does the business keep its risk-awareness and controls up to date?
  • When and how are risk-assessments reviewed and updated?
  • Is the approach to risk-assessment and management appropriate in relation to the business’s structure?

The effective operation of the risk-assessment and management policies and procedures should be confirmed through examination of relevant internal policy/ risk assessment and management documents, where available, and sample testing of customer files and transaction records to ensure that the customer due diligence and monitoring procedures are appropriate to the levels of risk arising from the types of customers and transactions.