Over the last few months, I have had many discussions with firms about their different approaches to managing financial crime risk, including the various strategies employed to combat money laundering, terrorist financing, politically exposed persons, sanctions and fraud related risk.
The Financial Conduct Authority (FCA) identified financial crime risk (FCR) as one of its priority areas of focus for 2016/17, and continues to call for firms to adopt robust, proportionate and more efficient controls. One common challenge for firms is how they balance a risk-based approach with the increasing regulatory and reputational risks associated with instances of non-compliance.
Clearly, firms cannot mitigate every risk, and nor should they aim to. Resources need to be devoted to areas where a firm believes they will have the most impact. A key starting point to help ensure a robust and comprehensive risk-based approach is performing a financial crime risk assessment – the cornerstone of financial crime prevention.
So when performing the risk assessment, how does a firm best identify, quantify and document the financial crime risks it faces? How can your firm use the findings of risk assessments to formulate a framework for proportionate ongoing management of FCR?
What is A risk-based approach and what does IT mean for you?
The FCA handbook requires firms to ensure they take reasonable care to establish and maintain effective systems and controls to counter the risk that they might be used to further financial crime. Specifically, SYSC 3.2.6R requires firms to ensure that its systems and controls:
- Enable it to identify, assess, monitor and manage money laundering risk, and
- Are comprehensive and proportionate to the nature, scale and complexity of its activities
When developing systems and controls through the use of a risk-based approach, firms are required to review and assess their business, identify the financial crime risks they face and implement appropriate controls to monitor and manage these risks.
However, this is not as clear-cut as it may seem. UK regulators have not provided specific guidance or advice to firms on risk assessments. As a result, firms are often left feeling uncertain about their approach, particularly in relation to key aspects such as:
- The required frequency of risk assessments and how to manage the resource-intensive nature of this activity
- Their approach to interim updates, including what internal and external management information triggers the requirement for an update
- Whether risk assessments are holistic in nature and include the coverage of all financial crime related issues including AML, sanctions, fraud, bribery and corruption, market abuse etc.
- Whose responsibility it is to undertake the risk assessment and the level and input required from across the business
DO YOU ENSURE the time invested into your risk assessment is adding VALUE?
I often hear firms being critical of regulations, particularly where they do not see any obvious benefit to either their business or their customers. Does the requirement to undertake a risk assessment fall into this category for you?
A key and recurring challenge for firms is adopting a robust yet business-enabling approach to financial crime. Firms should seek to ensure a meaningful and tangible link between the assessment of inherent risk, internal controls and the overall residual risk rating. This subsequently allows resource to be directed to key areas of risk aligned to the firm’s overall risk appetite.
Huntswood has released a report on financial crime risk assessments. Based on research with a cross section of firms, the report offers guidance, outlines good practice and highlights practical steps that firms can take to embed a proportionate, pragmatic and dynamic approach.