AML Risk Assessment – What Is It? How Does It Work?

Money launderers can make unwitting accomplices of any business they interact with, and thus expose those entities to their own legal woes. These criminals frequently make victims of organizations in the money service and ecommerce space, and that’s why anti-money laundering risk assessments are so important to all kinds of businesses worldwide.

Such assessments are carried out in a variety of ways, and the best ones see the risk assessor considering the latest trends in money laundering, as well as what mistakes leave businesses open to suspicious customers and transactions.

In fact, ensuring your organization has the best possible AML risk assessment will also help ensure it has the best possible cyber insurance coverage.

Let’s focus on what AML risk assessments are and how they’re conducted.

What Is an AML Risk Assessment?

An AML (anti-money laundering) risk assessment is the process by which an organization assesses the extent to which it is both protected from and vulnerable to money laundering operations. This can – and should – be carried out regularly via internal controls, AML software and third parties.

The assessment is carried out differently from organization to organization and the industry guidance they choose to follow, but it should be as holistic as possible – that means assessing the AML efficacy of all manner of organizational risk categories, such as business operations, customer bases, and human factors.

AML risk assessments can and should be ongoing processes because the activities of money launderers and AML precautions develop over time. For reasons that will be made clearer in the next section, such risk assessments can be optional but may also be required by certain financial authorities.

Are AML Risk Assessments Required?

Not necessarily. Whether your organization will be required to carry out an AML risk assessment hinges on whether you are in an industry and a jurisdiction where you could face penalties for refusing to do such an assessment. 

While many organizations take it upon themselves to do optional AML risk assessments to meet their own business goals, other organizations may only do them when they are legally required to by one or more authorities. Nevertheless, regardless of the context, it is very rare that an organization can successfully claim exemption from carrying out and disclosing an AML risk assessment if the authorities legally demand it.

It is also useful to note that, although the AML risk assessment itself is often not required by law, many components that help to make up a complete AML risk assessment are in fact required. For instance, a staple part of such a risk assessment is an accurate list of company transactions – and this is essential both in the eyes of the law and in terms of your organization’s operations and overall success.

Determining When an AML Risk Assessment Is and Is Not a Requirement

The below table shows two core examples in which an AML risk assessment is a requirement, and two other examples where it is simply optional.

There are many other factors that dictate whether an AML risk assessment is a requirement or just an option, and the best way to determine which extreme applies is to research the background of each organization on a case-by-case basis.

One important point to remember is that AML regulations and AML risk assessment requirements are different things: You may need organizational change to comply with AML regulations, but whether you’re required to do an AML risk assessment itself is determined by the nature of your organization and its specific circumstances.

How to Conduct an AML Risk Assessment

You conduct an AML risk assessment by determining risk factors, gathering the relevant information accordingly, and then compiling the results and reaching conclusions about your organization’s money laundering risk level. 

Based on information from the Wolfsberg Group, the frequency of AML risk assessments varies a great deal, especially given the number of factors that determine how often they should occur. These factors include the methodology, workload, significant security breaches, and the results of the assessment itself. Depending on what the assessment determines, an escalated schedule for the next one may seem necessary.

Nevertheless, while organizations and jurisdictions have different factors and criteria that shape how best to conduct AML risk assessments, the key to a strong assessment is in carrying out diligent manual research. Anyone conducting such an AML assessment for an organization should be prepared to interview the staff, read up on the anti-money laundering regulations in place, monitor the entity’s financial transactions closely, and implement a rigorous training and awareness program, among other things.

When conducting an anti-money laundering risk assessment, there are core dynamics that need to be assessed which each form the basis of determining the organization’s risk level:

• Business activities and products: The risk assessor must determine how the organization carries out its business operations and what AML precautions are in place to avoid the sale of products/services that can be exploited by money launderers.
  • What to do: Monitor the operations of the organization and its transactions and determine the extent to which the services could be exploited, internally or externally. One of the crucial ways to do this is to base your observations and judgments on how and why, if applicable, the organization has witnessed previous instances of money laundering scams in the past. On top of this, try to anticipate how the business could be subjected to – or even guilty of – money laundering by reading news reports of organizational approaches to money laundering. All this information will help you to set a criteria by which to assess the financial security implications of the organization.

• Customers and geographies: Anyone assessing AML risks must understand the profiles of the given organization’s customers and where those customers are operating from. In fact, they should know as much as possible about where the organization itself is operating from, as well, because certain locations are considered more high-risk than others.
  • What to do: Ensure that Know Your Customer (KYC) checks have been implemented from the very onboarding stage and review any recorded KYC documentation. Also, the assessor must base their risk assessment on documents from authorities that determine what constitutes and is listed as a high-risk country for money laundering. The Treasury of the UK, for instance, provides such a list published online.

• Internal controls and human factors: Along with monitoring the effectiveness of KYC checks, the assessor must monitor what organizational policies and other systems – collectively called internal controls – have been put in place to control money laundering activity, which includes insider threats. As for the human factors, whether the organization’s staff are unintentionally or intentionally opening the business up to money laundering risks, their actions and attitudes in terms of AML precautions must also be closely examined.
  • What to do: Keep a checklist of the organization’s internal controls and determine how effectively they are being implemented and followed. In the context of AML, internal controls can form both mandatory compliance systems and organization-specific policies, but in either case, the risk assessor will benefit from interviewing the staff about their knowledge of and accountability in the organization’s assigned anti-money laundering controls.

The below infographic shows some of the key questions that an AML risk assessor should consider in terms of these three core dynamics. 

Risk Assessment in Customer Onboarding Process

This concerns how the AML risk assessment fares when it focuses on the process of signing up new customers and setting up their accounts. The risk level that comes from customer onboarding can be mitigated by ensuring that the best-practice KYC checks are in place as a large part of a greater risk assessment program.

There is a significant money laundering risk that comes when organizations don’t have stringent Know Your Customer (KYC) precautions in operation. As such, anyone who conducts an AML risk assessment will be carefully inspecting the safeguards that are in place to protect the organization and its customers from suspicious new accounts.

There is a multitude of ways that risk assessments can hone in on potential money laundering risks throughout the customer onboarding process, but a focus on KYC helps build a strong foundation for combating suspicious applications.

In fact, if the organization is a high-risk vertical like a casino, the risk assessor may need to go to extra lengths to ensure that the business asks for the following examples of personally identifiable information (PII) before each customer can be signed up to the business:

• their name, location, and occupation
• their email address and phone number
• their photo ID and proof of address, such as a utility bill

On top of this, the risk assessor may wish to bolster the efficacy and stringency of their AML risk assessment by going further and looking for the most up-to-date approaches to PII, such as biometric verification and self-sovereign identity (SSI) checks.

Ultimately, acting on the need for KYC best practices and PII where applicable will help build a comprehensive profile of account applicants, and will support the risk assessor in determining another part of their AML risk assessment, known as the customer risk assessment. This is where further checks that are specific to the individual arise, such as customer due diligence – and, in the case of the more high-risk customers – enhanced due diligence.

Steps for Completing an AML Risk Assessment

Let’s have a closer look at the necessary actions to achieve the process, and at all stages, the assessor must always remember to document their methodology and the experience throughout the process. 

Each step-by-step process will vary depending on the organization, jurisdiction, and a multitude of other factors. However, the core stages can be summarized in the following three-part list: identify, evaluate, and utilize. Let’s take a closer look.

1. Identify the risk factors and the extent to which they can harm the given organization.
2. Evaluate the AML controls already in place and determine how effective they are relative to the now-established risk factors. Decide whether new controls should be implemented accordingly.
3. Utilize the information gleaned from points 1 and 2 to record and establish the risk ratings of each risk factor and state what the AML priorities should be, as well as your overall conclusions about the money laundering risks.

Again, you should keep a record of your AML risk assessment methodology and your processes and observations throughout these stages. By doing so, you will be able to show your workings if or when an AML audit/investigation is called for, and you will also help yourself to improve the process for the next time an AML risk assessment is in the best interests of the organization.

How SEON Helps with AML Risk Assessment

AML risk assessments are helped by SEON thanks to its KYC AML transaction monitoring system, which determines the extent to which an exchange is suspicious or legitimate and assigns a fraud risk score accordingly.

Let’s take a look at the below animation that shows the system working its magic!

As shown above, when a user enters a prospective customer’s email address, SEON’s software is able to determine whether that account is connected to a lack of social and digital footprints.

On top of this, SEON also checks if the person’s digital profile matches up to the identity verification and KYC checks. Plus, the software also checks whether the user is on other online accounts, such as Netflix and LinkedIn, because – especially nowadays – it is suspicious that someone would not be on at least one of these kinds of major accounts.

All in all, SEON is well-equipped to tackle suspicious accounts and help you determine the AML risk levels of your customers accordingly.

Sources

• The Wolfsberg Group: The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption
• Gov.uk: Money Laundering Advisory Notice: High Risk Third Countries
• Corporate Compliance Insights: Cognitive Robotics and the Annual AML Risk Assessment
• Saction Scanner: What is Customer Risk Assessment?