Regulators have been advocating a Risk Based Approach
("RBA") in combatting money laundering and terrorist
financing for several years (ML/TF) (1).
The view is that in order to implement effective AML/CTF systems
and controls, Authorized Institutions "AI's" should
identify, assess and understand the ML/TF risks to which they are
exposed. It is impossible for Banks to manage ML/TF risks and also
show the regulator they are being managed effectively – if
such risks are not even known in the first place!
The HKMA has made Institutional Risk Assessments an increasing
area of focus since 2014 (2) and the below summary highlights key
expectations in this regard (noting the requirements regarding
customer risk assessments are set out at Chapter 3 of the AMLO
Guideline).
The Benefits – Why
Invest in an Institutional Risk Assessment (IRA)?
Some financial institutions, especially some smaller players shy
away from carrying out an institutional risk assessment, claiming
it's not necessary, the existing risk framework is sufficiently
robust and/or that the firm is not big enough to justify the
time/resources required.
In supporting a case for an IRA, the benefits are significant
and include:
Helping to optimize resources; by
enabling institutions to focus on higher risk / high impact areas
which is the basic premise of a Risk Based Approach.
Demonstrating an institution's
commitment to understanding and analyzing ML/TF risks. An IRA can
equally help to identify key risks, control weaknesses and where
remediation efforts may be required on an ongoing basis.
Ensuring Senior Management are better
informed of the ML/TF risks facing the business while facilitating
strategic decision making.
What are the "MUST
HAVE" requirements in implementing an IRA?
Although there is no mandated format or template for an IRA,
institutions should carefully consider the underlying factors that
make up the risk assessment and the methodology used. Having a risk
assessment is one thing, understanding its rationale and being able
to convey this to a regulator if required - is key.
The HKMA has previously stated that an institution should take
steps to identify, assess and understand the ML/TF risks in
relation to the following: (1) their customers, (2) the
countries/jurisdictions the customers are from, (4)
countries/jurisdictions the AIs have operations in; and (4) the
products, services, transactions and delivery channels of the AI
(3).
Related to this, the IRA should:
Be available in written form;
Include both quantitative and
qualitative assessment;
Be sufficiently detailed to enable
meaningful analysis of the ML/TF risks (i.e. generic data or
information that is too broad and not specific to the business is
not useful for risk assessment purposes);
Include some commentary on the
overall risk appetite of the business and how mitigating measures
would risk risks;
Be updated annually to reflect
changing conditions and emerging risks (e.g. sanctions, tax evasion
risk).
Be communicated to relevant
stakeholders and signed off by Senior Management.
What about local branches of
overseas banks?
AIs that are part of a global banking group can leverage a group
wide or regional Risk Assessment conducted to the extent that the
assessment reflects the ML/TF risks posed to the AI in the local
context. The IRA should therefore take into account relevant
customer, product and other risks as they relate to the local AI.
The onus will be on the local AI to demonstrate how the global /
regional risk assessment is relevant and applicable.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
