Risk management - A tool for small-to-medium sized businesses
File size 252KB

 

Anti-Money Laundering and Counter-Terrorism Financing Act 2006

Disclaimer
The information contained in this document is intended to provide only a summary and general overview on these matters. It is not intended to be comprehensive. It does not constitute nor should it be treated as legal advice or opinions. The Commonwealth accepts no liability for any loss suffered as a result of reliance on this publication. AUSTRAC recommends that independent professional advice be sought. The information contained herein is current as at the date of this document.

Introduction

Scope and limitations

This risk management tool is designed to help small-to-medium sized businesses meet the requirements of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). Use of this resource is not mandatory and reporting entities may choose an alternative method which is appropriate to their business (size, nature and complexity) and the money laundering and/or terrorism financing (ML/TF) risks they may reasonably face.

What is risk?

Risk can be defined as the combination of the probability of an event and its consequences.(1) In simple terms risk can be seen as a combination of the chance that something may happen and the degree of damage or loss that may result if it does occur.

What is risk management?

Risk management is the process of recognising risk and developing methods to both minimise and manage the risk. This requires the development of a method to identify, prioritise, treat (deal with), control and monitor risk exposures. In risk management, a process is followed where the risks are assessed against the likelihood (chance) of them occurring and the severity or amount of loss or damage (impact) which may result if they do happen.

Which risks do you need to manage?

For the ML/TF environment, AUSTRAC generally expects a business's risk management practice to address two main risks: business risk and regulatory risk.

Business risk is the risk that your business may be used for ML/TF. Businesses must assess the following risks in particular:

• customer risks
• products or services risks
• business practices and/or delivery method risks
• country or jurisdictional risks.
  
  

Regulatory risk is associated with not meeting your obligations under the AML/CTF Act. Examples of regulatory obligations that may be breached include reporting certain transactions such as international funds transfer instructions, verifying the identity of your customers and having an AML/CTF program (showing how your business identifies and manages the ML/TF risk it may face).

Further discussion on business and regulatory risk is included in the risk identification section.

It is unrealistic that a business would operate in a completely risk-free environment in terms of ML/TF. Therefore, it is suggested that a business identifies the ML/TF risk it faces, then works out the best ways to reduce and manage that risk. In doing this, it is necessary to balance the costs to your business and customers against the risk of the business being used for ML/TF. This should be in proportion to the size of your business and the resources you have available. A business will only be expected to counter the ML/TF risk it may reasonably be expected to face while providing designated services.

The risk management framework (or method)

The approach to risk management in this document is based on the AS/NZS 4360:2004: Standard for risk management (Australian Standard) and the AUSTRAC guidance note Risk management and AML/CTF programs. This document tries to simplify the steps in the Australian Standard and yet include those that AUSTRAC considers should be included in a risk management framework. These steps are a core requirement of an AML/CTF program.

Figure 1: The risk management framework

Risk identification

Identify the main ML/TF risks: customers products & services business practices/delivery methods countries you do business with   Identify the main regulatory risks

Risk assessment/measurement

Measure the size & importance of risk: likelihood - chance of the risk happening impact - the amount of loss or damage if the risk happened likelihood X impact = level of risk (risk score)

Risk Treatment
   

Manage the business risks: minimise and manage the risks apply strategies, policies and procedures    Manage the regulatory risks: put in place systems and controls carry out the risk plan & AML/CTF program

Risk monitoring and review

Monitor & review the risk plan: develop and carry out monitoring process keep necessary records review risk plan and AML/CTF program do internal audit or assessment do AML/CTF compliance report

The risk management process

Risk identification

The first step is to identify what ML/TF risks exist for your business when providing designated services. As previously discussed, there are two risk types: business risk and regulatory risk.

Business risk

The AML/CTF Rules state that a reporting entity must consider the risk posed by:

• customers
• products and services
• business practices/delivery methods (channels)
• countries it does business in/with (jurisdictions).

Under these four groups, individual risks to your business can be determined. While not an exhaustive list, some of these individual risks may include:

Customers:

• a new customer
• a new customer who wants to carry out a large transaction
• a customer or group of customers making lots of transactions to the same individual or group
• a customer who has a business which involves large amounts of cash
• a customer whose identification is difficult to check
• a customer who brings in large amounts of used notes and/or small denominations.

Products and services:

• credit card
• branch pick-up
• door to door delivery service
• direct credit to a bank.

Business practice/delivery method (channels):

• online/internet
• phone
• fax
• email
• third-party agent or broker.

Country/jurisdiction:

• any country or particular region of a country in which you may do business
• any country subject to trade sanctions
• any country known to be a tax haven, source of narcotics or other significant criminal activity.
  

Regulatory risk

This risk is associated with not meeting the requirements of the AML/CTF Act.

Examples of some of these risks are:

• customer verification not done properly
• failure to train staff adequately
• not having an AML/CTF program
• failure to report suspicious matters
• not submitting an AML/CTF compliance report
• not having an AML/CTF Compliance Officer.

Further information to help identify risks is included in the AUSTRAC guidance note Risk management and AML/CTF programs.

A table similar to Table 1 shown below - Risk management worksheet - could be used for each risk group in preparation for assessing and managing those risks: customers, products and services, business practices/delivery methods, country/jurisdiction and the regulatory risks.

Table 1: Risk management worksheet - risk

The use of this table will be continued in following sections.

Risk assessment

Having identified the risks involved, they need to be assessed or measured in terms of the chance (likelihood) they will occur and the severity or amount of loss or damage (impact) which may result if they do occur. The risk associated with an event is a combination of the chance (likelihood) that the event will occur and the seriousness of the damage (impact) it may do.

Therefore each risk element can be rated by:

• the chance of the risk happening - 'likelihood'
• the amount of loss or damage if the risk happened - 'impact' (consequence).

To help assess the risks identified in the first stage of this process, we can apply the risk rating scales for likelihood (Table 2) and impact (Table 3) and from these get a level of risk or risk score using the risk matrix (Figure 2).

Likelihood scale

A likelihood scale refers to the potential of an ML/TF risk occurring in your business for the particular risk being assessed. Three levels of risk are shown in Table 2, but you can have as many as you believe are necessary.

Table 2: Likelihood scale

Impact scale

An impact scale refers to the seriousness of the damage (or otherwise) which could occur should the event (risk) happen.

In assessing the possible impact or consequences, the assessment can be made from several viewpoints. Following is a list of ideas. It does not cover everything and it is not prescriptive.

Impact of an ML/TF risk could, depending on individual business circumstances, be rated or looked at from the point of view of:

• how it may affect your business if, through not dealing with risks properly, you suffer a financial loss from either a crime or through fines from the regulator
• the risk that a particular transaction may result in the loss of life or property through a terrorist act
• the risk that a particular transaction may result in funds being used for any of the following: corruption, bribery, smuggling of goods/workers/immigrants, banking offences, narcotics offences, psychotropic substance offences, slavery and trade in women and children, illegal arms trading, kidnapping, terrorism, theft, embezzlement, or fraud
• the risk that a particular transaction may cause suffering due to the financing of illegal drugs
• reputational risk - how it may affect your business if you are found to have (unknowingly) aided an illegal act, which may mean government sanctions and/or being shunned by your own community of customers
• how it may affect your wider community if you are found to have aided an illegal act; the community may get a bad reputation as well as your business.

Three levels of risk are shown in Table 3, but you can have as many as you believe are necessary.

Table 3: Impact scale

Risk matrix and risk score

Use the risk matrix to combine LIKELIHOOD and IMPACT to obtain a risk score. The risk score may be used to aid decision making and help in deciding what action to take in view of the overall risk. How the risk score is derived can be seen from the risk matrix (Figure 2) and risk score table (Table 4) shown below. Four levels of risk or score are shown in Figure 2 and Table 4, but you can have as many as you believe are necessary.

Figure 2: Risk matrix

Threat level for ML/TF risk

	Very likely	Medium 2	High 3	Extreme 4
	Likely	Low 1	Medium 2	High 3
	Unlikely	Low 1	Low 1	Medium 2
	What is the chance it will happen?	Minor	Moderate	Major

Table 4: Risk score table

Once threat levels and risk scores have been allocated they can be entered in the risk management worksheet (Table 5) next to the risk.

Table 5: Risk management worksheet - threat level and risk score

Risk treatment

This stage is about identifying and testing methods to manage the risks you have identified and assessed in the previous process. In doing this you will need to consider putting into place strategies, policies and procedures to help reduce (or treat) the risk. Examples of a risk reduction or treatment step are:

• setting transaction limits for high-risk products
• having a management approval process for higher-risk products
• process to place customers in different risk categories and apply different identification and verification methods
• not accepting customers who wish to transact with a high-risk country.

You could record this using Table 6.

Table 6: Risk management worksheet - risk treatment or action

Another way you can reduce the risk is to use a combination of risk groups to modify the overall risk of a transaction. You may choose to use a combination of your customer, product/service and country risk to modify an overall risk. For example, in the case of a remitter, for a low-risk customer you may decide to only use a bank account-to-bank account service (assessed as low risk by you) to a certain city/province (assessed as a high risk area by you) in a certain country (assessed as low risk by you).

It is important to remember that identifying, for example, a customer, transaction or country as high risk does not necessarily mean that money laundering or terrorism financing is involved. The opposite is also true: just because a customer or transaction is seen as low risk does not mean the customer or transaction in not involved in money laundering or terrorism financing. Experience and common sense should be applied to your risk management process.

Monitor and review

Keeping records and regular evaluation of your risk plan and AML/CTF program is essential. The risk management plan and AML/CTF program cannot remain static as risks change over time; for example, changes to your customer base, your products and services, your business practices and the law.

Once documented, your business should develop a method to regularly check on whether your AML/CTF program is working correctly and well. If not, you need to work out what needs to be improved and put changes in place. This will help keep your program effective and also meet the requirements of the AML/CTF Act.

Additional tools to help your risk assessment

The following tools or ideas can be useful in helping to manage risk. You can include them in the previous risk assessment process to better inform your decisions.

Applying risk appetite to risk assessment

Risk appetite is the amount of risk a business is prepared to accept in pursuit of its business goals. Risk appetite can be an extra guide to your risk management strategy and can also help you deal with risks. It is usually expressed as an acceptable/unacceptable level of risk.

Some questions to ask are:

• What risks will the business accept?
• What risks will the business not accept?
• What risks will the business treat on a case by case basis?
• What risks will the business send to a higher level for a decision?

The risk matrix can be used to show the risk appetite of your business.

In a risk-based approach to AML/CTF the assessment of risk appetite is a judgement that must be made by the reporting business. It will be based on its business goals and strategies, and an assessment of the ML/TF risks it faces in providing the designated services to its chosen markets.

Figure 3: Sample risk matrix showing risk appetite

	Very likely	Acceptable Risk Medium 2	Unacceptable Risk High 3	Unacceptable Risk Extreme 4
	Likely	Acceptable Risk Low 1	Acceptable Risk Medium 2	Unacceptable Risk High 3
	Unlikely	Acceptable Risk Low 1	Acceptable Risk Low 1	Acceptable Risk Medium 2
	What is the chance it will happen?	Minor	Moderate	Major

Risk tolerance

In addition to defining your business's risk appetite, you can also define a level of variation to how you manage that risk. This is called risk tolerance, and it provides some flexibility whilst still keeping to the risk framework you have developed.

An example showing how risk appetite and risk tolerance interact follows.

Relevant legislation

• Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)
• Financial Transaction Reports Act 1988 (FTR Act)
• Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (AML/CTF Rules)
  

Relevant resources

• AUSTRAC Regulatory Guide
• AUSTRAC guidance note Register of Providers of Designated Remittance Services
• AUSTRAC guidance note Risk management and AML/CTF programs
• Brochures on various topics including - 'AML/CTF programs' and 'Customer identification'

AUSTRAC help

• AUSTRAC website: www.austrac.gov.au
• AUSTRAC Help Desk: help_desk@austrac.gov.au or 1300 021 037 (a local call within Australia)
• AUSTRAC Online, designed to help businesses with their regulatory and reporting obligations
• Small businesses that are reporting entities will also be subject to the Privacy Act 1988 regarding their obligations under the AML/CTF Act. For further information please visit the website of The Office of the Privacy Commissioner or contact them on 1300 363 992.

1 International Organisation for Standardisation. ISO/IEC Guide 73 Risk management - Vocabulary - Guidelines for use in standards. Geneva: ISO, 2002.