Risk of confusion
Darren Boschat of Oben Regulatory discusses potential pitfalls when carrying out financial crime risk assessments.
Types of Risk Assessment
A risk-based approach implies both the regulator and industry understand the risks they face and allocate their resources accordingly. Firms in Jersey, like other jurisdictions, are obliged to maintain a range of risk assessments for different purposes, including:
- ML/FT/PF Business Risk Assessment (“BRA”) – all firms subject to AML/CFT/CPF supervision must assess their money laundering, terrorist financing and proliferation financing risks and then establish an AML/CFT/CPF Strategy and corresponding systems and controls;
- Compliance risk assessment (“CRA”) – firms subject to prudential and conduct of business supervision must assess the risk they will breach relevant compliance obligations and implement a risk- based compliance monitoring plan; and
- Enterprise risk assessment (“ERA”) – finally, firms subject to prudential and conduct supervision must also maintain an overarching risk assessment covering any significant risks that they face which should inform their wider systems and controls.
Each of these risk assessments is important and useful, when approached correctly. Risk assessments present an opportunity for firms to identify and analyse the risks they face and determine appropriate control measures. However, these benefits can be undermined when firms combine their risk assessments or conflate risks with differing characteristics.
The most common example of this relates to the BRA which is, rightly, subject to regular scrutiny by the JFSC. Firms may be tempted to combine the BRA with other risk assessments for the sake of efficiency and consistency. Whilst not mandatory, this approach is to some extent condoned by guidance published by the JFSC which envisages that firms may extend their existing risk management systems to address AML/CFT/CPF risk.
The Differences
Whilst we consider there are benefits in co-ordinating and aligning risk assessments, we would caution against combining them, for several reasons:
- Purpose – each risk assessment has a different purpose. The BRA is intended to help inform the design and deployment of controls to counter specific financial crime risks whereas the main purpose of a CRA is to help a firm decide how to deploy compliance monitoring resources across the full range of its compliance obligations. The purpose of the ERA is to identify and control the most significant risks to the firm’s objectives;
- Scope – a BRA relates to a firm´s potential exposure to a relatively narrow set of criminal activities. A CRA relates to the firm´s compliance obligations which, for many firms, will extend beyond financial crime related matters to include governance, prudential and conduct of business-related obligations. The scope of the ERA is wider still in that it relates to any significant risk that the firm may face;
- Characteristics – Financial crime risks have different characteristics to conduct of business risks in that they typically relate to the threat that customers, or other external parties, pose to a firm. Conduct of business risks tend to work in the opposite direction in that they involve threats that can be posed by a firm to their customers; and
- Calculation – the BRA requires the firm to reach a cumulative assessment of its exposure to money laundering, terrorist financing and proliferation financing. This logically implies that the firm will need to combine the individual components of its BRA, giving a weighting to each element, to arrive at an overall risk score. This is a challenging task; introducing wider risks to the structure and content of the BRA will complicate it further.
Common Mistakes
Overlooking the differences highlighted above can lead to mistakes in the risk assessment process. We suggest that firms:
- Keep it simple – don´t complicate the structure and content of the BRA beyond what is necessary. The AML/CFT/CPF Handbook envisages an assessment of the firm´s exposure to money laundering, terrorist financing and proliferation financing with reference to its: i) customers, ii) geographic exposure; iii) products and services; iv) delivery channels; and v) certain organisational factors. Extending the structure and content of the BRA will complicate the task of calculating aggregate risk levels;
- Don´t lose sight of the purpose – the purpose of the BRA is to understand the firm´s potential exposure to money laundering, terrorist financing and proliferation financing and thereby inform its AML/CFT/CPF Strategy and relevant systems and controls. The main purpose of the CRA is to inform the deployment of compliance monitoring resources. An ERA is designed to identify and mitigate significant risks to the firm´s objectives. Whilst there are some similarities and overlaps, each risk assessment has a different purpose;
- Don´t treat controls as risks – consideration of existing AML/CFT/CPF controls within the BRA is useful in so much as it helps the firm to assess residual risk levels and identify any significant areas of uncontrolled risk. What should be avoided is to miscategorise controls as risks within the BRA by, for example, including risk descriptions such as “Risk that we fail to file SARs” or “Risk that we fail to identify a PEP”. These issues are important but it is better to tackle them as part of the assessment of controls rather than as separate risks. The risk of breaching a specific rule or obligation can still be dealt with as a compliance risk within the CRA; and
- Don´t combine unrelated risks – in our view, the inclusion of non-financial crime related risks in the BRA can lead to confusion and inappropriate trade-offs. We would recommend that financial crime risks are treated separately given their different characteristics to other risks as well as differences in risk appetite and risk control methods.
How can Oben help?
Oben’s team has unrivalled experience in assisting businesses across the Crown Dependencies with the design and implementation of risk assessments bench-marked against ISO standards. We offer a bespoke service tailored to our clients’ needs.