The regulatory laws provide that a licence or registration application shall contain or be accompanied by such other information or documents as the Commission may reasonably require, for the purpose of determining the application.
Business Risk Assessments (“BRAs”)
The Financial Action Task Force (“FATF”) 2012 Recommendations (“the Recommendations”) place even greater emphasis on the importance of undertaking an effective assessment of financial crime risks. This is further emphasised in its methodology in which it is stated,
• “Financial institutions and DNFBPs should be required to take appropriate steps to identify, assess and understand their ML/TF risks…”.
With regard to a competent authority’s responsibilities, the Recommendations note that supervisory controls expected to be undertaken by a competent authority, such as the Commission, should include a review of the assessment of the ML/TF risk profile of a financial institution or group.
All businesses to whom the AML/CFT Regulations apply, must undertake a BRA.
This requires that the business identifies the financial crime risks to which it could be exposed and the measures that will be taken to mitigate those risks. This also informs the risk appetite of the business.
Under Regulation 3(1) a BRA must be carried out as soon as reasonably practicable after it becomes a financial services business. This assessment must be completed by the time business starts to be undertaken. It is also expected that measures will be adopted to mitigate the risks identified in the BRA.
It is therefore expected that a business will have commenced its review of these risks and identified possible measures to mitigate them prior to being licensed by the Commission under the Law.
New – Submission of BRA with Application Materials
With effect from Friday 5 September 2014, a draft business risk assessment, prepared in compliance with Regulation 3 of the AML/CFT Regulations and the rules in Chapter 3 of the Handbook, must be submitted with any application for a licence under the laws.
Please note that this new requirement DOES NOT extend to applications submitted with respect to the authorisation or registration of a collective investment scheme or PCC Cell and Incorporated Cell applications.
Applicants will not be required to use a specific form or provide the assessment in a pre-determined format:
Further Guidance on how to prepare a business risk assessment can be found on the Financial Crime Supervision and Policy Division’s webpage at:
What is a Business Risk Assessment?
A risk-based approach is the adoption of a risk management process for dealing with money laundering and terrorist financing. This process encompasses recognising the existence of the risk(s), undertaking an assessment of the risk(s) and developing policies, procedures and controls to manage and mitigate the identified risks.
The Board and senior management of any business are responsible for managing the business effectively. They are in the best position to evaluate all potential risks including those of ML/FT. The rules in chapter 2 of the Handbook in relation to corporate governance make it clear that the Board has effective responsibility for compliance with the Regulations and the Handbook and therefore it must take ownership of and responsibility for the Business Risk Assessment (“BRA”).
Guidance on identifying and assessing the risks of how a financial services business might be involved in ML/FT taking into account its customers, products and services and the ways in which it provides those services is provided in section 3.3 of the AML/CFT Handbook.
What should it contain?
At a minimum, a BRA should reflect that appropriate steps have been taken in order to identify and assess the risk of the entity being used to launder the proceeds of crime or to finance terrorism (for customers; jurisdictions or geographic areas; and products/services/transactions/delivery channels). In addition, the BRA should reflect the identification and assessment of other relevant risks. For example, in some cases this might include outsourcing. These assessments should be documented in order to demonstrate their basis and be kept up to date.
In addition to identifying the particular areas of vulnerability to the risk of ML/FT, a BRA should contain references as to how the entity manages or mitigates the risks which it has identified. For example including a reference in the BRA that the higher risks associated with relationships with high risk jurisdictions are addressed by having suitable enhanced due diligence procedures and corresponding review and monitoring processes.
Industry sectors will have inherent and/or generic risk factors and these will need to be referenced. Additionally, individual entities will also have risk factors particular to that entity which will need to be referenced in their BRA.
What should it not contain?
The BRA should not simply be a cut and paste version of the relevant sections of the Handbook as this does not demonstrate that the Board has given serious consideration to the vulnerabilities particular to the entity.
It should not be a generic document which has simply been populated with general information as this, once again, does not demonstrate that the Board has given serious consideration to the vulnerabilities particular to the entity.
It should not contain unsubstantiated, highly generalised references to risk faced by the business. For example, a reference to all business being low risk would not be acceptable unless it was backed up with sufficient information as to how this assessment had been made.
It should not be a mix of ML/FT and prudential risk. If the firm wishes to combine the assessment of ML/FT and prudential risk in one document there needs to be a clear division between the two assessments.
Although, as identified previously, a BRA should contain references as to how the entity manages or mitigates the risks which it has identified it does not necessarily have to include the detail of how the identified risks are managed and mitigated as this may be fully addressed in the procedures and controls document(s).
Loading...