Institutional Risk Assessments - Expectations For Compliance Officers And MLROs

Author:Ms Elizabeth MacDonald and Phil Rodd
Profession:Ernst & Young

Regulators have been advocating a Risk Based Approach ("RBA") in combatting money laundering and terrorist financing for several years (ML/TF) (1).

The view is that in order to implement effective AML/CTF systems and controls, Authorized Institutions "AI's" should identify, assess and understand the ML/TF risks to which they are exposed. It is impossible for Banks to manage ML/TF risks and also show the regulator they are being managed effectively - if such risks are not even known in the first place!

The HKMA has made Institutional Risk Assessments an increasing area of focus since 2014 (2) and the below summary highlights key expectations in this regard (noting the requirements regarding customer risk assessments are set out at Chapter 3 of the AMLO Guideline).

The Benefits - Why Invest in an Institutional Risk Assessment (IRA)? Some financial institutions, especially some smaller players shy away from carrying out an institutional risk assessment, claiming it's not necessary, the existing risk framework is sufficiently robust and/or that the firm is not big enough to justify the time/resources required. 

In supporting a case for an IRA, the benefits are significant and include:

Helping to optimize resources; by enabling institutions to focus on higher risk / high impact areas which is the basic premise of a Risk Based Approach. Demonstrating an institution's commitment to understanding and analyzing ML/TF risks. An IRA can equally help to identify key risks, control weaknesses and where remediation efforts may be required on an ongoing basis. Ensuring Senior Management are better informed of the ML/TF risks facing the business while facilitating strategic decision making. What are the "MUST HAVE" requirements in implementing an IRA? Although there is no mandated format or template for an IRA, institutions should carefully consider the underlying factors that make up the risk assessment and the methodology used. Having a risk assessment is one thing, understanding its rationale and being...

To continue reading