AMLG1800 - Guidance for all sectors: Risk Assessment
8. Risk assessment
Important Note:Every supervised business must carry out a risk assessment which involves taking appropriate steps to fully assess and identify the risks of money laundering, terrorist financing and proliferation financing which the business may face. |
Why is a risk assessment necessary?
A risk assessment is necessary in order for the business to understand its risk exposure to money laundering, terrorist financing and proliferation financing. A proper assessment of these risks will enable the business to mitigate those risks and fully inform the policies controls and procedures (PCPs) which must be put in place to manage, mitigate and reduce the identified risks.
This is done using a risk-based approach. You can only develop effective PCPs once you have properly identified and assessed the risks your business faces.
Conducting – and regularly reviewing – your risk assessment is also required to help you:
- Understand how risks facing your business may change over time or in response to actions you take;
- Design and implement systems and controls that can detect and respond to suspicious activity; and
- Ensure staff are aware of risk indicators of possible money laundering, terrorist financing and proliferation financing they may encounter and know how to respond appropriately. Please see AMLG11100 for further guidance on suspicious activity.
What is a risk-based approach?
A risk-based approach means ensuring that the measures you put in place to manage and reduce risk are tailored according to the level of risk that you have properly assessed in your risk assessment. An effective risk-based approach enables you to focus your efforts and resources where the risks are highest allowing you to apply proportionate measures to effectively manage and reduce those risks.
What must you take into account when conducting your risk assessment?
In deciding what steps are appropriate when conducting your risk assessment, you must take into account:
- The nature and size of your business.
- All wider factors which are relevant to your business activity.
- Risks that are more specific to your business such as those that apply to particular services or customers.
Your risk assessment must also take into account and act on information made available to you by HMRC. This includes this guidance and any further relevant sources of guidance referred to within it including HMRC’s own risk assessment applicable to your business sector (Part 3 of this guidance), and the applicable National Risk Assessments (NRAs) in relation to money laundering, terrorist financing and proliferation financing.
The NRA is a central part of the UK’s “risk-based approach” to countering ML and TF. The NRA sits alongside System Prioritisation which aims to publish a list of economic crime priorities to inform public-private resource. These are intended to support participating parts of the regulated sector to effectively allocate their internal resources on a cost-neutral basis while maintaining their regulatory responsibilities.
Typologies in the NRA should be read in conjunction with the priorities published by the NECC & FCA under System Prioritisation. These priorities are intended to provide context to the risks in the NRA and will provide more detail on the priority areas some sectors should note for certain typologies. The priorities are expected to be reviewed annually as well as on publication of a new NRA. When the priorities are published guidance will be provided on how to relate these to each NRA typology.
You should take account of the system priorities and pay particular attention to suspicious activity which might fall into one of the priority categories, making a detailed suspicious activity report (SAR) where appropriate, given these activities are of key interest to law enforcement.
Can the presence of one risk factor indicate a high risk?
Your risk assessment should be approached holistically, taking into account the full range of relevant risk factors to form an overall judgment. The presence of a single high-risk indicator may suggest elevated risk, but it does not automatically mean the situation is high risk in its entirety. Where a high-risk factor is identified, businesses should consider its impact in the broader context, determine whether the overall risk level is high, and ensure that this assessment is recorded.
It is important to note, however, that there are certain factors below that are specifically identified in the Regulations as requiring EDD, even if no other risk factors are present.
- Entering any business relationship with a person established in a country named on the list of High-Risk Jurisdictions subject to a Call for Action published by Financial Action Task Force (FATF).
- The proposed transaction is a relevant transaction where either of the parties to the transaction is established in a country named on the FATF list referred to above.
- A customer has given you false information regarding their identity or false or stolen identification documents (immediately consider reporting this as suspicious activity).
- A customer is a PEP, or an immediate family member or a close associate of a PEP. For further information on PEPs, please see AMLG11650.
- The transaction is unusually complex or unusually large given the nature of the transaction.
- The transaction follows an unusual pattern or has no apparent legal or economic purpose.
HMRC expects businesses to not only identify, assess and document these risks but also to ensure that their PCPs properly reflect and address those risks individually. For example, the Regulations specifically require additional measures (known as enhanced due diligence (EDD)) to be put in place to manage and mitigate the associated risks above, even if no other risk factors are present. Your PCPs must set out what steps your business should take to apply EDD. Your PCPs must be properly communicated throughout your business.
See AMLG11600 for further information on when you are required to apply EDD measures.
Important Notes:You must ensure that your risk assessment is reviewed and updated accordingly to remain compliant with the Enhanced Due Diligence (EDD) requirements outlined in regulation 33. If you identify one or more risk factors in relation to your business or a particular situation, but you decide that the overall risk is not high, HMRC expects you to:
This is an important part of applying a risk-based approach. It will assist you to demonstrate that your business is compliant with the Regulations by actively assessing risks and making informed decisions, rather than applying a one-size-fits-all approach. |
8.1 General Risk Assessment requirements
Your risk assessment must be:
Comprehensive
You must identify and assess the money laundering, terrorist financing and proliferation financing risks to which your business is exposed. This includes risks relevant to your business in general and specific risks relevant to its:
- customers and any underlying beneficial owners;
- specific products, transactions or services;
- delivery channels, for example face to face, through intermediaries or online; and
- the countries and geographical areas in which it operates.
For further information regarding these risks, see below. You must be able to understand all the ways that your business could be exposed to those risks and assess the likelihood and frequency of those risks.
Specific to your business
Your risk assessment must be specifically tailored to your business. If you chose to use a generic template risk assessment, or you seek to rely on a risk assessment provided or prepared by a third party, it must be fully adapted to your specific business and the sector it operates in. If a risk assessment is carried out by a third party, it still remains your responsibility to ensure that it properly reflects the risks to which your business is exposed. Similarly, the day-to-day delivery of the PCPs remains the responsibility of the business.
Recorded in writing
Your risk assessment must be a written document or series of documents which record/s the steps that have been taken to identify and assess the money laundering, terrorist financing and proliferation financing risks to which your business is exposed. It must also record the following:
- The risk factors that have been taken into account.
- The information and sources which you have used to form your risk assessment.
- The date that the risk assessment was carried out and the date of any review or change to the risk assessment, along with how it has changed.
Regularly reviewed and updated
Your risk assessments should be dynamic and HMRC expects businesses to update their risk assessments when there are any changes that may be relevant their risk exposure, for example:
- If you adopt a new business operating model, such as:
- Offering a new service or product.
- Changes to your client base.
- Operating in a new jurisdiction, and especially a high-risk jurisdiction;
- Using a new piece of technology in the delivery of your services;
- Changes in management/ownership of your business;
- Starting using agents, or opening a new branch; or
- Changes to your agent network (if your business uses agents).
- Where any new risks of money laundering, terrorist financing or proliferation financing emerge. There are several ways to stay informed about emerging risks such as:
- Published guidance including HMRC guidance and alerts and the NRAs;
- Open-source material;
- Subscribing to Government alerts e.g. signing up to Government alerts from HM Treasury, Home Office and the NCA;
- Industry bodies and newsletters e.g. subscribing to updates from the Joint Money Laundering Steering Group (JMLSG),
- Professional networks, conferences and webinars: these often feature expert analysis on emerging threats.
- When there is any change to the Regulations such as an update to the FATF list of countries subject to a call for action (i.e. the FATF black list).
In any event, HMRC expects your risk assessment to be reviewed at least annually. You should record the review date and note any updates. If no changes are made, you should still record the review and the reasons for maintaining the current assessment.
Copies of all previous versions of your risk assessment should be kept for a minimum of 5 years and will need to be provided to HMRC in any compliance intervention to demonstrate you have complied with the requirements under the Regulations and followed this guidance.
Provided to HMRC when requested
You must provide your risk assessment to HMRC when requested.
If requested, you must also provide:
- Any previous versions of your risk assessment;
- Your record of the steps you have taken to prepare your risk assessment; and
- The information on which the assessment was based.
HMRC will ask for a declaration that you have a written risk assessment and policies, controls and procedures - see AMLG1900) when you apply to register and will refuse your application if you do not. HMRC may carry out spot-checks on some businesses and may also request your risk assessment at any time to check your compliance with the Regulations.
Further information in this guidance on risk factors which must be considered in your risk assessment and appropriately addressed in your PCPs can be found in Part 2 and Part 3 of this guidance.