Building a risk-based anti-money

laundering programme within your firm

Philip Robinson
UK Financial Services Authority
November 2007

Why is this important?

Why is this important?

Contents

What is a risk-based approach?

Building blocks
Limits and challenges
International guidance
UK guidance
Working in partnership
Questions

What is a risk-based approach?

Directing our resources to where the
risk is greatest
Make the most effective use of all our
efforts

Cannot be uniformly applied

Each sector and firm faces different risks

Seeks to achieve real outcomes

Reduce crime and social harm, not
guarding against regulatory sanctions

Risk-based approach
Can be applied by:
Firms
Regulators

Building blocks
A risk-based approach requires:
Thorough understanding of current risks
Firms need information to gauge current risks
Importance of public-private information sharing

Regulatory focus on principles

Accept firms seeking to achieve real outcomes
Reject prescriptive, detailed and inflexible rules

Acceptance than money-laundering will

never be completely eliminated
What can a sound firm with well-considered
controls realistically achieve?

Principles-based regulation
Firms must keep to the spirit, as well
as the letter, of the rules
Firms can use their judgement about
what suits their business needs, and
still deliver required outcomes
Helps supervisors and firms keep pace
with market changes and adapt more
quickly
Not about lighter touch regulation or
reduced consumer protection

Enforcement
FSA not enforcement-led regulator
Cases judged on individual merits
Significant and serious failings
Consumer protection
Strategic deterrent
Authorities must clearly communicate expected
standards and key concerns
Supervisors consider firms culture, controls and
internal risk assessments
Financial crime issues taken seriously:
Abbey National fined 2m AML checks
Deutsche Bank fined 6.3m market conduct
Nationwide fined 1m data security

Limits of a risk-based approach

There are minimum standards
Always need some due diligence checks
to allow ongoing monitoring

Some requirements are absolute

Application of sanctions law

Not an easy option

Requires skill, judgement and information
sharing

Challenges of a risk-based approach

Relies on making sound judgements
Staff must be skilled and well-informed

Variation in firms practices

Reasonable v. reckless variation

Producing appropriate guidance

Should inform industry expectations
Helps to explain reasons for regulatory
actions

Making sound judgements

Management information
Board and senior management must
understand where risks are

Cultural aspect, led from top

Ongoing staff training
Customer profiles and typologies
Sharing information
Trade associations
Networks and discussion groups

FATF on risk-based approach

Risks must be well understood
National risk assessment should provide fundamental
background information to stakeholders, affecting
responsibilities and resourcing
Enables well-informed judgements
Define risk appetite, with minimum requirements
Not zero-tolerance regime
Regulation and supervision must be effective,
transparent, and include:
Review of firms own risk assessments
Publication of appropriate guidance
Tools to identify weaknesses and sanction reckless
behaviour

FATF guidance
Firms should use risk criteria to
assess their money laundering and
terrorist finance risks
Risk profiles built by transactions and
updated by guidance from competent
authorities
Risk-based approach should be
embedded within internal controls
More controls for higher risk situations

Risk categories
Geographical areas of operation
Sanctions or alerts from competent authorities
High risk of corruption
Customer
Unusual transactions without explanation
Difficult to identify true owner
Reliance placed on gatekeepers
Politically exposed persons
Products
Cross border services providing extra anonymity, including,
correspondent or international private banking
Banknotes or precious metal trading

FATF: key internal controls

Regular review of risk management
procedures
Involve compliance function, meet all
legal and regulatory requirements
Adequate training and supervision of
employees
Senior management kept informed of
progress and carry out independent
testing of processes

UK industry guidance
JMLSG
Formulated by leading trade associations with
Treasury approval
Part I: general guidance
Part II: sector-specific

SOCA
National threat assessment
Alerts

FSA
Financial Risk Outlook
Newsletters, results of thematic work

JMLSG: core obligations

Appropriate systems and controls must
reflect the degree of risk associated with the
business and its customers
Determine appropriate customer due
diligence measures on a risk-sensitive basis
Take into account situations which by their
nature can present a higher risk of moneylaundering or terrorist financing
Risk factors:

Customers
Products and types of transaction
Geographical areas of operation
Delivery channels

JMLSG: actions required

Formal and regular money laundering and
terrorist financing risk assessment
Internal procedures, systems and controls
and staff awareness reflect risk assessment
Customer identification and acceptance
procedures reflect risk characteristics of
customers
Robust arrangements for monitoring
systems and controls, which reflect the risk
characteristics of customers

Suspicious transaction reporting

Initial customer due diligence checks cannot
account for changes in customer
circumstances
Key tool in building customer profiles
Financial institutions hold unique data and
viewpoint
Help law enforcement agencies to track
criminal proceeds
Enable law enforcement agencies to develop
typologies and operate risk-based approach

Key messages
Risk-based approach directs
resources to areas of greatest risk,
making best use of all our efforts
Focuses on real outcomes, including
social harm behind financial crime
Relies on:
Use of skill and judgement
Information sharing and collaboration
between firms and authorities

Any questions?

Philip Robinson
UK Financial Services Authority
November 2007