Regulators have been advocating a Risk Based Approach ("RBA") in combatting money laundering and terrorist financing for several years (ML/TF) (1).

The view is that in order to implement effective AML/CTF systems and controls, Authorized Institutions "AI's" should identify, assess and understand the ML/TF risks to which they are exposed. It is impossible for Banks to manage ML/TF risks and also show the regulator they are being managed effectively – if such risks are not even known in the first place!

The HKMA has made Institutional Risk Assessments an increasing area of focus since 2014 (2) and the below summary highlights key expectations in this regard (noting the requirements regarding customer risk assessments are set out at Chapter 3 of the AMLO Guideline).

  1. The Benefits – Why Invest in an Institutional Risk Assessment (IRA)?

Some financial institutions, especially some smaller players shy away from carrying out an institutional risk assessment, claiming it's not necessary, the existing risk framework is sufficiently robust and/or that the firm is not big enough to justify the time/resources required. 

In supporting a case for an IRA, the benefits are significant and include:

  1. Helping to optimize resources; by enabling institutions to focus on higher risk / high impact areas which is the basic premise of a Risk Based Approach.
  1. Demonstrating an institution's commitment to understanding and analyzing ML/TF risks. An IRA can equally help to identify key risks, control weaknesses and where remediation efforts may be required on an ongoing basis.
  1. Ensuring Senior Management are better informed of the ML/TF risks facing the business while facilitating strategic decision making.
  1. What are the "MUST HAVE" requirements in implementing an IRA?

Although there is no mandated format or template for an IRA, institutions should carefully consider the underlying factors that make up the risk assessment and the methodology used. Having a risk assessment is one thing, understanding its rationale and being able to convey this to a regulator if required - is key.

The HKMA has previously stated that an institution should take steps to identify, assess and understand the ML/TF risks in relation to the following: (1) their customers, (2) the countries/jurisdictions the customers are from, (4) countries/jurisdictions the AIs have operations in; and (4) the products, services, transactions and delivery channels of the AI (3). 

Related to this, the IRA should:

  1. Be available in written form;
  2. Include both quantitative and qualitative assessment;
  3. Be sufficiently detailed to enable meaningful analysis of the ML/TF risks (i.e. generic data or information that is too broad and not specific to the business is not useful for risk assessment purposes);
  4. Include some commentary on the overall risk appetite of the business and how mitigating measures would risk risks;
  5. Be updated annually to reflect changing conditions and emerging risks (e.g. sanctions, tax evasion risk).
  6. Be communicated to relevant stakeholders and signed off by Senior Management.
  1. What about local branches of overseas banks?

AIs that are part of a global banking group can leverage a group wide or regional Risk Assessment conducted to the extent that the assessment reflects the ML/TF risks posed to the AI in the local context. The IRA should therefore take into account relevant customer, product and other risks as they relate to the local AI. The onus will be on the local AI to demonstrate how the global / regional risk assessment is relevant and applicable.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.