Preparing for a Thematic Review: Financial Crime Business Wide Risk Assessments
In a recent conversation with the FCA they indicated that they will be conducting further Thematic Reviews in 2024 and that one of these is likely to be a review of Firms’ risk assessments. What can you do to prepare and make sure that you’re on the front foot if your firm is selected as part of the thematic review?
The completion of a BWRA is a regulatory requirement as detailed in chapter 18 of the Money Laundering Regulations. It’s also an area where we regularly see gaps and areas for improvement.
Here are a few of the most common mistakes and questions that you can ask yourself to make sure you’re ready.
Financial crime BWRA
A good quality BWRA enables firms to identify their biggest areas of financial crime risk, set their risk appetite, identify control deficiencies and utilise their resources where they are most needed.
Frequently when conducting an audit or Skilled Person review, we are handed a firm’s Risk and Control Self-Assessment (RCSA) and told that this is the BWRA. Having a few lines of detail which mention financial crime risk in your overall company risk assessment does not constitute a financial crime risk assessment as required under the MLRs.
Do you have a BWRA in place which adequately considers money laundering, terrorist financing and proliferation financing risks? If not, you need to put one in place as a matter of urgency.
Specific risks
We frequently see examples of firms that have not adequately assessed the specific risks relating to their products and services, type of customers they serve, jurisdictions in which they operate, types of transactions they are involved in, and their delivery channels. We also see lots of BWRAs that don’t consider specific sectoral risks.
Does your BWRA adequately consider the specific financial crime risks to your firm and the particular sector(s) you operate in?
Can you demonstrate how you’ve addressed the minimum regulatory risk factors ofd “customer risks,” “country risks,” “product risks,” “transaction risks” and “channel risks”?
Does your BWRA include any additional risk factors which may be specific to your business as informed by your risk appetite?
Real risks
We also see risk assessments where the fundamental “risk” being assessed isn’t particularly insightful or well articulated. For instance:
Risks which are actually control failings. This creates a circular reference between the risk and your control effectiveness assessment. A common one we see is “fail to train staff properly”, but the control is “we deliver annual training to all staff”.
Risks which don’t drive insight. Many risks we see are more a statement of fact than a risk. One example might be “Customers are resident in a high risk country”. Whilst this can create a risk, it isn’t a risk in itself, making it challenging to map controls to in a meaningful way.
Sources of information
We often find that firms have not used a good range of sources of information on financial crime risks to develop their BWRA. Good practice is for firms to identify and use a wide range of reliable sources such as National Risk Assessments, JMLSG sectoral guidance, ESA Guidelines, FATF mutual evaluations and typology reports, NCA alerts, press reports, court judgements, reports by non-governmental organisations and commercial due diligence providers.
Have you used a good range of sources which are relevant and proportionate to your business to conduct your BWRA?
Do you make it obvious how and where these sources have specifically been used to inform the risk assessment and / or methodology?
Methodology
There is a requirement within the ML Regs for firms to provide “an up-to-date record in writing of all the steps it has taken” to complete the BWRA. This helps demonstrate that a thorough process has been followed and ensures repeatability of the exercise, but we frequently see examples of firms not clearly documenting their methodology and the rationale for their scoring not being well articulated.
Questions to ask yourself:
Do you have a document in place which clearly details both the methodology and the underlying governance elements of the BWRA, such as the roles and responsibilities, the requirement to conduct this assessment on (at least) an annual basis and the approach taken, and sources used to identify the inherent risks and relevant controls?
Does your methodology clearly explain the rationale behind the weighting of each control and how the control effectiveness score impacts the residual risk rating?
Consideration of proliferation financing risk
As of September 2022, there is a requirement for firms to consider proliferation financing (PF) risk within their risk assessment, but we have seen multiple examples of firms not assessing PF risk in sufficient detail, and sometimes not at all.
Does your BWRA adequately consider proliferation financing?
Outputs of the BWRA
We frequently see examples of firms producing the BWRA to satisfy a regulatory requirement rather than using the outputs to inform policies, procedures, or other control enhancements.
Challenge yourself. When was the last time the construct of your BWRA was rigorously challenged as opposed to dusting off last year’s assessment and updating existing fields?
Is there tangible evidence that you’ve used the output of your BWRA to influence senior management and make changes to procedures or other control enhancements?
The purpose of a risk assessment is to ensure that your firm can demonstrate its awareness of the risks that your business is exposed and to inform the ongoing enhancement of your control framework. If your BWRA doesn’t do this, you need to make changes as a matter of priority.
As ever if you need help please reach out to contact@avyse.co.uk
