How to use a risk-based approach to carry out a risk assessment of your business.
Businesses regulated by the Money Laundering Regulations must assess the risk that they could be used for money laundering, including terrorist financing.
You can decide which areas of your business are at risk and put in place measures to prevent money laundering occurring by using what’s known as a ‘risk-based’ approach.
This guide gives an overview of the risk-based approach and helps you to carry out a risk assessment of your business. It also outlines your day-to-day responsibilities under the Money Laundering Regulations.
The risk-based approach
Businesses that are covered by the Money Laundering Regulations have to use a risk-based approach to prevent money laundering. This involves following a number of steps.
You have to:
- identify the money laundering risks that are relevant to your business
- carry out a detailed risk assessment of your business, focusing on customer behaviour, delivery channels and so on
- design and put in place controls to manage and reduce the impact of these risks
- monitor the controls and improve their efficiency
- keep records of what you did and why you did it
Advantages of the risk-based approach
You’re able to decide on the most cost-effective way to control the risks of money laundering when you follow the steps involved in the risk-based approach. This allows you to focus your efforts and resources where the risks are highest.
How to carry out a risk assessment
You can decide for yourself how to carry out your risk assessment. It might be quite simple or very sophisticated depending on:
- the size and structure of your business
- the range of activities your business carries out and the nature of the products and services it supplies
When you assess the risks of money laundering that apply to your business you need to consider:
- the types of customer you have
- where you and your customers are based
- your customers’ behaviour
- how customers come to your business
- the products you sell or the services you offer
- your delivery channels and payment processes, for example cash over the counter, cheques, electronic transfers or wire transfers
- where your customers’ funds come from or go to
Customers that might pose a risk
Your business might be at risk of money laundering from:
- new customers carrying out large, one-off transactions
- a customer who’s been introduced to you - because the person who introduced them to you may not have carried out ‘due diligence’ thoroughly
- customers who aren’t local to your business
- customers involved in a business that handles large amounts of cash
- businesses with a complicated ownership structure that could conceal underlying beneficiaries
- a customer - or group of customers - who makes regular transactions with the same individual or group of individuals
Customer behaviours that might suggest a risk
Behaviour that may indicate a potential risk could be when a customer:
- doesn’t want to give you identification, or gives you identification that isn’t satisfactory
- doesn’t want to reveal the name of a person they represent
- agrees to bear very high or uncommercial penalties or charges
- enters into transactions that don’t make commercial sense
- is involved in transactions where you can’t easily check where funds have come from
When to check source of funds in one-off transactions below €15,000
The way customers present themselves and the source of their funds are key indicators of potential risk.
You should be able to show, through your risk-based approach, that you’ve taken all reasonable steps to satisfy yourself that the transaction isn’t suspicious, including, where appropriate, identifying the source of funds.
This is best done through independent documents or data provided by the customer, for example, a payslip or bank statement. The documentation required and the level of checks will depend on the risks to your business.
Where a person is sending money for someone else and information such as a wage slip or bank statement isn’t available you should consider obtaining and keeping a signed certificate/declaration by the customer about the source of funds – checked against a proof of ID document, such as a passport.
Example 1 - A customer claims they are transmitting money on behalf of a group of friends. You should consider writing down details of the names and addresses of the friends and the amounts to be transmitted.
Where you have to accept a declaration it’s sensible to include details of something that can itself be checked. This could be contact details for each person named in the declaration, but every case will be different.
Example 2 - A customer claims the cash is from the sale of a car. You should include details of the car, its registration number and the date of sale. This will provide you with protection, as you’ll be able to show that you have undertaken sufficient checks and will allow law enforcement agencies who can use such details to follow up on transactions after the event if they need to.
The essential point is that the customer has provided you with information that can be checked. Whether you do any additional checks on that information will depend on your view of the risk.
HM Revenue and Customs (HMRC) expects that businesses have an operating risk based system in place, which is fully documented. If a business doesn’t apply its own risk based approach to ‘source of funds’ checks, then HMRC will expect that you seek additional verification on payments below €15,000 when:
- the customer has presented cash in payment for the transaction, which is five times the size of an average transaction for your business
- the customer has paid for the transaction by cheque or debit card, which is ten times the size of an average transaction
‘Average transaction’ means the total value divided by the number of transactions over a given period. ‘Your business’ means calculated by each branch (where your business has more than one premises including the premises of any agents who act on your behalf).
Example 3 - You have transmitted £100,000 over 100 transactions in the given period, so the average value of your transactions is £1,000. You should check the source of funds on any cash transaction for £5,000 or more and any non-cash transaction for £10,000 or more.
The length of time you use to decide the size of an average transaction for your business isn’t fixed, although it should be at least one month. Ideally, the average transaction value will relate to a single set of premises. If you have more than one set of premises within your registration you may decide to fix the transaction level either by individual location or by reference to all the transactions across the whole of your business, being aware of the transaction levels between different locations.
You may limit the source of funds checks to the top 5% of transactions by value if the number of transactions to be checked exceeds 5% of your total transactions
Where funds have come from a bank account, you can take some re-assurance that the customer’s identity and personal details may have been checked by another regulated business in the UK or another country which is prepared to provide the customer with account facilities. However, you shouldn’t be satisfied just because the money has come from the customer’s bank account that the source of funds is lawful.
You should take a risk based approach, so that you’re content with and establish how the money got into the bank and where the money came from, such as:
- a cheque from a family member
- payment from the sale of personal items
An indication of higher risk might be if funds in the bank account had been paid in cash shortly before the transaction. Just because the funds have been through a bank doesn’t mean that you can always assume that you don’t need to check the source for them, especially if they seem unusual.
You must send a Suspicious Activity Report (SAR) to the National Crime Agency if you have any suspicion that the transaction relates to money laundering and/or terrorist financing, and get consent from them to continue with the transaction. You should always report before a transaction is made where possible. If your suspicion is raised after the transaction is completed you must send a SAR at the earliest opportunity.
Risks associated with your products and services
Depending on your business type there may be a risk:
- that inappropriate assets could be placed in your business, or moved from or through it
- from a product or service which allows the ownership of assets to be disguised
- when you supply services without meeting your customer face to face
The types of risk you need to identify will depend on the nature of your business. For example, ‘High Value Dealers’ need to be aware of the risk associated with cash sales of high value goods that can be either:
- sold through the black market - these are generally luxury items
- returned to the retailer in exchange for a legitimate cheque from them
Get more information
You can get more guidance on carrying out your risk assessment from the HMRC leaflets for:
What to do when you’ve carried out your risk assessment
Once you’ve completed your risk assessment you need to:
- put in place controls and systems to reduce any risks of money laundering that you identified
- monitor your business on an ongoing basis to make sure your controls are effective
- identify and report any suspicious transactions or activities