You may need to consider what controls, systems and procedures should be put in place in order to identify, mitigate and manage any one of these risk categories or a combination of all of them.

Inherent ML/TF risk can be assessed across a business as a whole and in particular:

• customer type risk
• types of designated services risk
• delivery method risk
• risks when dealing in foreign jurisdictions.

The product service review worksheet may assist in prioritising which of your products and services may be more vulnerable to money laundering and terrorism financing risk.

Product/service review worksheet (pdf 20kb)

It is recognised that no matter how strong the risk mitigation and management program is, each reporting entity will still have some residual ML/TF risk.

In recognising the existence of residual risk, reporting entities should undertake ongoing due diligence and regularly monitor their ML/TF risk profiles according to the nature, scale and complexity of their business operations. The frequency of monitoring should be determined by the level of risk identified, the degree of urgency required for resolving issues and where applicable, the requirements of the AML/CTF Act and/or AML/CTF Rules.

The process for managing both inherent and residual risk within a risk management framework, if applying the model suggested by the Australian and New Zealand Risk Management Standard (AS/NZS 4360: 2004), would consist of:

1. establishing the internal and external context within which designated services are provided (customer types, services, delviery methods and jurisdictions)
2. identifying risks
3. evaluating and assessing risks
4. treating those risks.

This risk management framework would then be tailored within the ML/TF context.

As a Compliance Officer or person responsible for developing and implementing an AML/CTF program, it is necessary to consider the risks your business might reasonably face. It is likely that your business will already have policies, strategies and procedures in place to deal with other legislative requirements, for example visits by APRA, security protocols, workplace relations, anti-discrimination laws and occupational health and safety. It is recommended that any existing policies, procedures or risk frameworks be adapted to incorporate AML/CTF requirements.

One of the main drivers for developing an AML/CTF program for most reporting entities is to be compliant with the AML/CTF Act and to avoid being subjected to regulatory action. Managing this regulatory risk is a very important consideration; but of equal concern to businesses are managing the operational risks to avoid the impacts that might follow if the business was targeted by money launderers or terrorists. Loss of reputation, legal costs, losing market share, or being less competitive are possible if your business becomes a conduit for money laundering or terrorism financing.