Aml Risk Assessment
Aml Risk Assessment
Aml Risk Assessment
Risk
Assessment
Procedures
Executive
Summary
Template
Risk Scoring
Template An overview of
the results,
together with key
Assignment of Risk Ratings drivers of the risk
using a standard framework and controls
and terminology for AML
risk
Risk
Assessment An analysis of the sources of AML
Template risk, together with an assessment
of the controls and risk mitigants
in place
Copyright © 2009 Deloitte Development LLC. All rights reserved. 3
Risk Assessment Program
Risk Assessment documents each LOB‟s exposure to inherent AML risk factors arising from
three primary areas:
1) Products and services known to have been, or which can potentially be, abused by
money launderers and terrorists;
2) Customers and entities who move large amounts of cash or other funds to disguise „dirty
money‟; and
3) Countries and territories with weak AML controls, with a documented history of corruption
problems, or associated with the production and distribution of narcotics or associated with
terrorism.
• Low - Indicates truly minimal activity related to high-AML risk customers or products and
services.
• High - Is appropriate when high-risk customers or products and services are actively
pursued as a business strategy and as a result comprise a material portion of the
customer base, transactions and financial performance.
• Risk may be managed, mitigated or, perhaps in some instances, eliminated. “Mitigation
Factors” are those controls that, if properly implemented and maintained on an on-going
basis, could lessen or mitigate some or all of the inherent risk.
• Strong - indicates that the control is in place, well established, extremely effective in
preventing the occurrence of risk events, and performed with an appropriate frequency
that is relevant to the process. A strong control is also performed effectively by the
control group and is periodically tested to ensure it is still in place. For a strong
assessment, there must have been no significant risk events that occurred as a result of
a breakdown of the control.
• Weak - describes a control that is not in place although it needs to be, is not particularly
effective in prevent risk events, may not be performed with any particular frequency or on
any scheduled timetable (if one can be ascertained) or there were significant risk events
that occurred and may have been prevented if the control was in place or a stronger
control.
Example of inherent AML risk assessed across 5 main risk areas. Multiple risk factors are evaluated
within each main risk area to determine the overall inherent AML risk for each country/business.
Legend: For each country / risk 5 Main Risk Areas Examples of Risk Factors Risk Model Snapshot
area / risk factor the inherent
AML risk can be rated on a scale • Maturity/stability
of: 1 Customer Base
• Domicile/residency
• PEP status
Inherent Risk • E-banking
• Indirect customers
Summary Dashboard
• M&A activity
4 Business Strategy
• Business strategy changes
• Expected growth
Inherent Risk • Product portfolio expansion
• Staff turnover
Step 1: Mitigating controls in form of AML policies, procedures and processes are assessed for
each country/business
Step 2: Residual AML risk is derived by „subtracting‟ mitigating controls from the inherent AML risk
12 Control Areas Examples of Questions Structured Answers
AML Compliance
Program Assessment
Technology
Solutions Risk Assessments
Bank’s must
mitigate money
Independent laundering, Develop AML Policies
Testing and Procedures
regulatory and
reputational risks
KYC
AML Training &
CIP
• Customers are on-boarded and their information is typically entered into a bank‟s
KYC/CIP database. The data is matched against public and private information to
search for risk factors including, but not limited to, PEP status.
• After the new customer completes the KYC/CIP process, accounts are opened and the
risk scores are populated within the customer database.
• All account activity is periodically monitored through the bank‟s Transaction Monitoring
application where risk factors are analyzed in connection with transactional patterns in
search of anomalous activity at both customer and account levels.
• Monitors account activity for unusual transaction patterns or events that exceed
statistical thresholds within pre-defined scenarios. The systems typically utilize temporal
analysis to evaluate transactions over multiple dimensions of time.
• Alerts generated are typically clustered with other intelligence data and reviewed by a
bank‟s Financial Intelligence Unit (“FIU”). The FIU‟s mission is to bring a focused and
proactive approach to the operational aspects of financial crimes deterrence, detection,
and reporting. The result can be an enterprise view of risk from across the organization.
• Many banks use some sort of manual transaction monitoring, particularly for very high
risk areas
• Structured Cash
‒ Frequent cash deposits under the reporting threshold (e.g., patterns between $8 to
$10k) or instances of periodic round dollar transactions
• Dormant Accounts
‒ Instances of sudden spikes in an account‟s activity which was previously dormant
• Series of transactions (buys and sells) that do not result in change of ownership
‒ Instances of a series of buys and sells of a product within an account on the same day
(commodities, securities or foreign exchange account) that do not result in any change
of ownership of the product, and there does not appear to be any reason for the
transactions