Compliance Risk Exposure Scoring Tool (CREST)
AUSTRAC has developed a new risk assessment approach, the Compliance Risk Exposure Scoring Tool (CREST), to assist the agency in its risk-based supervision of regulated entities. CREST allows AUSTRAC to concentrate its supervisory resources on entities at most risk of money laundering or terrorism financing (ML/TF).
AUSTRAC conducts industry supervision to promote sound ML/TF risk management and ensure a high degree of legislative compliance by regulated entities. In the course of this supervisory activity, use is made of various tools and techniques including the existing AUSTRAC Regulatory Risk Assessment System (ARRAS).
ARRAS was developed to assess the financial transaction reporting (FTR) compliance risk of individual entities and industries and will continue to be used by AUSTRAC to support its FTR analysis and data quality functions. However, independent review of ARRAS identified that risk rating entities on exposure to ML/TF risk would require a different approach that is now implemented in CREST.
CREST is a modelling tool, risk assessment framework and methodology that will be used by AUSTRAC's supervisory branch to assist in ranking regulated entities and 'peer groups' of entities in the same industry sector, which have similar business profiles and characteristics, according to their exposure to ML/TF risk.
The CREST model framework and methodology aim to achieve a reasonable degree of rigour and consistency in the risk assessment process. It is not a scientific methodology and may contain subjective assessments based on information available to AUSTRAC.
The outcome of a CREST risk assessment for a peer group or regulated entity is a 'risk priority rating' which reflects the likelihood ('residual risk') of the peer group or entity being misused for ML/TF activity and the impact ('ML/TF impact') that such misuse might have on the national effort to detect and deter financial crime.
In formulating a risk assessment for an entity or representative member of a peer group, account is taken of the entity's characteristics including the types of products and services it provides, its distribution channels, business structure, volume of ML/TF exposed business and internal controls, as well as what is known about broad ML/TF typologies by AUSTRAC.
The key components of the CREST risk assessment model are shown below.
CREST takes account of risk indicators considered to be reflective of inherent ML and TF risks and internal control, respectively. Internal control considers the quality and effectiveness of an entity's internal risk management systems for mitigating inherent risk and complying with legislative obligations.
Each of the inherent risk and internal control components shown above incorporate several key areas, called modules, which encompass the subcomponents shown below.
The ML/TF impact assessment takes into account the 'size and scale' of an entity and several industry-related 'significance' or 'strategic' factors which might reflect, for example, an entity's public profile and highlight the impact of its misuse for criminal purposes.
CREST risk assessment steps
The high-level steps involved in performing a risk assessment for a single regulated entity or peer group of entities in CREST is as follows.
Based on the entity or peer group's inherent characteristics the ML and TF inherent risk scores are separately determined, weighted according to their significance and then combined into a composite inherent risk score.
The internal control score is then determined based on an assessment of the entity or peer group's internal control characteristics.
The inherent risk score is then discounted by the internal control score to produce a residual risk score representing AUSTRAC's assessment of the inherent ML/TF risk that remains. While entities may achieve legislative compliance and undertake all reasonable risk mitigation, some exposure to ML/TF risk will always remain.
The next step involves assessment and scoring of ML/TF impact, which is then combined with residual risk to determine the risk priority rating, as shown below.
The risk priority rating helps determine AUSTRAC's supervisory priorities and strategies. The ratings are grouped into four risk priorities: high, medium, low and minimum.
CREST risk ratings are internal to AUSTRAC. In certain cases involving on-site visits to entities, AUSTRAC may choose to disclose the entity's CREST ratings on a confidential basis and on strict condition that the entity does not further disclose the rating.
CREST is an evolving model that will be progressively refined in line with AUSTRAC's growing regulatory and supervisory experience.