The national risk assessment and your risk lists

I was discussing a financial crime business risk assessment with a client recently and the conversation turned to the UK national risk assessment. It transpired the client wasn’t aware that the UK updated their assessment in December 2020. They also couldn’t really explain how they’d used older versions in the development of their own risk assessment.

Firms are obliged (regulation 18(2)(a)) to take into account “information made available to them by the supervisory authority”. Putting any obligations aside, the NRA is a really useful way of getting some external perspectives on actual risks of operating in the UK to inform some of your own decision making when conducting a risk assessment.

The purpose of the 2020 assessment is to provide a “stock-take of our collective knowledge of money laundering and terrorist financing risks in the UK”. It contains easily digestible insights which can inform:

  • Country risk – including deep dives on a selection of specific countries, including China, Hong Kong, Pakistan, Russia, UAE and crown dependencies / overseas terrirotires

  • Product and service risk – sector-by-sector analysis including a focus on specific products such as trade finance

  • Customer risk – including different types of legal entity and industry risks

  • Channel risk – and recognising the increased prevalence of non-face-to-face business

  • Transaction risk – by illustrating multiple factors or transaction profiles associated with various products and services.

At a minimum, firms must make a documented assessment whether the updated NRA necessitates a review of the business risk assessment or not. At most, it should serve as a trigger to re-tune and re-perform your risk assessment.

risk lists.png

Our conversation turned to the risk assessment framework more generally andin particular the need to link the client and business risk assessments with objective data points. Inherent business risk assessment could be characterised as the sum of all client risk assessments,  but of course this would require consistent data points. While most firms have a clear country risk list, it is less common to see the same level of rigour in the other lists.


Each of these “risk lists” requires its own methodology – and require a great deal of internal insight, the NRA is a rich source of insight to help firms make more informed and objective decisions.

 So what do I recommend doing?

  • Reading the updated NRA and considering the extent to which it changes or impacts your current understanding of risks. Do you need to update your methodology or re-perform your assessment?

  • Reflect on your underpinning risk lists and how comprehensive and objective they are.  How could the NRA help improve any of these lists?

  • Seek to get greater alignment between your business and client risk assessment processes as a result of using harmonised sources where possible. Do you have a single set of risk lists underpinning both assessments?

In a busy environment some of these activities may not be immediately considered important, but the purpose of these actions are all about improving efficiency and effectiveness by:

  • Removing duplication of effort in the development of the client and business risk assessments

  • Making the inherent business risk assessment more streamlined and intuitive

  • Supporting a more informed risk based approach

Richard

Previous
Previous

Navigating the disconnect: latest FCA Dear CEO letter shows fundamental AML issues remain

Next
Next

Periodic review of your periodic review process