CFT Risk Assessment: How to Remediate Financial Crime Vulnerabilities in 2024?

Toiling to the idea of a protected global financial system and national security that is capable of fighting the financial vulnerabilities, countering the financing of terrorism CFT risk assessment is a non-negotiable measure.

Reported by Reuters, Biden’s administration has folded sleeves to slow down Russia storming Ukraine with over 500 new sanctions and export restrictions which demands businesses to be more vigilant and aware of compliance threats for better risk management.

Amid the growing complexity of the compliance environment, the cruciality of anti-money laundering and countering the financing of terrorism (AML/CFT) risk assessment can be resonated with a famous saying of Niccolò Machiavelli,

“The wise man does at once what the fool does finally.”

The wisest of the actions, for financial institutions, is to timely and swiftly assess AML/CFT risks before falling prey to equipped and organized crime actors. With numerous regulations in place  and no uniform guidelines on how to conduct the risk assessment, this article is aimed to help you understand the nuisances and best practices of upholding AML/CFT compliance.

A Quick Recap: What is AML/CFT Risk Assessment?

The establishment of a functional and efficient compliance program to combat money laundering and associated predicate offenses such as financing of terrorism and proliferation relies on analyzing the AML/CFT risks your business is exposed to.

Akin to the building block of compliance, the swift yet robust assessment of risks allows institutions, particularly financial institutions to measure the magnitude of AML/CFT risks clients and potential partners carry with them.

The magnitude of such threats can vary from business to business while the regulatory expectations to conduct the risk assessment stay the same whether it’s a big organization or SMEs (small to medium enterprises). Let’s take a look at the regulatory expectations, institutions are required to meet.

Five Prominent Ruling Bodies of Risk Assessment

It is imperative for institutions covered by the AML/CFT regulations to design their compliance programs with effective AML/CFT risk assessment. Some of the major regulatory bodies are as below.

Financial Action Task Force (FATF) is a global standards setter that requires its member jurisdictions to implement a risk based approach to stem financial crimes. The employment of risk based approach inherently comes with understanding and knowing the ML/FT (money laundering and financing of terrorism) risks.

Financial Crimes Enforcement Network (FinCEN), under the U.S Department of Treasury, issues and regulates the “Priorities” or known AML/CFT threats faced by institutions in the United States. To meet the requirements of the AML Act (Anti-money laundering act of 2020), FinCEN releases updated guidelines on evolving threats, every once in four years for institutions to align their compliance program with priorities.

The Financial Conduct Authority (FCA) in the United Kingdom, under the proceeds of Crime Act 2002 requires businesses to adopt a risk based approach along with submission of SARs (Suspicious Activity Reports) to the NCU (National Crime Unit).

The European Commission (EC) with its annual Supranational Risk Assessment Report (SNRA) supports its members and financial crimes units to assess the evolving risks of money laundering associated with the EU’s market and services.

Australian Transaction Reports and Analysis Centre (AUSTRAC) expects businesses in Australia to consider AML/CFT risk assessments as an integral tool to combat money laundering and protect global financial sustainability.

In collaboration with global regulatory and enforcement agencies, FinCEN has issued first extended “priorities” which should be adequately incorporated into the AML/CFT compliance program irrespective of the scale of the business.

Eight Prominent AML/CFT Priorities To Be Aware Of

In a perfect alignment with the National Strategy of 2018 and 2020 by the U.S Treasury, these AML/CFT priorities are expected to be a vital part of every extensive risk-based AML compliance program.

Irrespective of the order, every covered institution should be aware of the following AML/CFT threats dubbed as “priorities” which can exploit the global financial stability.

1. Foreign and domestic terrorist financing
2. Proliferation financing
3. Fraud
4. Corruption
5. Cybercrime (cybersecurity and virtual currency)
6. Human trafficking and human smuggling
7. Transnational criminal organization activity
8. Drug trafficking organization activity

With clear understanding of priorities, institutions can identify the crimes which generate illegal money and motivate predators to launder black money and make it look clean. Since the foundation of the compliance program lies in AML/CFT risk assessment, it is equally important to know the types of risks every business should be able to identify and calculate.

Two Types of Risks that Need Your Attention

Before delving into the best practice of performing effective CFT risk assessments, businesses must assess inherent and residual risks their financial system is posed to.

What is Inherent Risk?

The elementary block of up-to-date risk assessment followed by AML/CFT compliance program, an inherent risk has been defined by the Wolfsberg as,

“Inherent risk represents the exposure to money laundering, sanctions, or bribery and corruption risk in the absence of any control environment being applied.”

One must calculate the inherent risk for effective establishment of mitigation strategies to fight money laundering and associated predicate crimes. To calculate inherent risks, businesses are required to,

• Develop a methodology/model to assess the likelihood of money laundering and terrorist financing associated with the products, customers, and services the business deals with. The methodology should include the measurement of consequences if ML/TF happens.
• Inhabit the developed model with details of relevant risks and the characteristics of associated risks to prioritize the risk mitigation with optimal resource allocation.
• Utilize the model to assess the risks happening and magnitude of impacts. The output of assessment needs to be aligned with the risk ranking or scoring in the model.

The identification of inherent risks facilitates businesses to develop appropriate mitigation and control strategies to deal with these risks. Once the control measures are designed and implemented, it becomes easy to assess residual risks.

What is Residual Risk?

As the name suggests, residual risks are defined as leftover risks after the implementation of mitigation measures. For instance, ML/TF risks associated with a high-risk client were measured and reduced with AML/CFT compliance program, risks which could not be mitigated through the control measures would be the residual risks.

The scale and intensity of residual risks allows institutions to decide whether additional AML/CFT measures are needed or risks can be avoided altogether. The effectiveness of AML/CFT risk management relies on the model businesses use to calculate these risks as the magnitude of residual risks defines the institutional risk appetite.

Once risks have been assessed, half of the risk assessment is already done. However, an impactful AML/CFT risk assessment can not be performed unless an efficient methodology is applied.

Five Key-Steps to Performing AML Risk Assessment

Adherence to evolving AML regulations is possible through updated and regularly reviewed assessments of risks clients and business partners carry to the integrity of business and financial systems. Below five key-steps are crucial for the effectiveness of in-house AML/CFT risk assessment.

1. Documenting the assessed risks is paramount for an effective AML compliance program. Akin to a living document, an organized documentation system facilitates the implementation of robust mitigation controls for money laundering and financing of terrorism. The regulatory expectations require businesses to outline below documents which must be reviewed periodically to compensate for the evolving criminal behaviors and consequently regulatory changes.

• Methodology to conduct risk assessment
• Likelihood of risks and consequent impacts
• Scale of risks ranging from low to high
• Impacting factors like customers, product, services, and foreign jurisdictions business deals with

1. Implementation of proportionate risk-based controls to reduce the level of AML/CFT risks while considering below factors.

• Scope and nature of customers, transaction, or employees within a business
• Frequency of control systems applicability
• Availability of optimal resources to manage control strategies
• Efficiency and lapses of internal controls and reporting

1. Regular audit and review of AML/CFT risks before launching any new product, service or technology within the business. The alignment of AML/CFT controls with reviewed and assessed risks must be in place along with documenting the adopted rationale. Other than regular reviews, risks must be reassessed when certain triggers occur. Below is a comprehensive map of triggers which requires businesses to reconduct assessment of risks and associated AML/CFT controls.

1. Timely and full access to AML/CFT risk assessment information must be ensured to properly manage, review, and mitigate those risks by risk management individuals. The structured information must be provided to the senior management and boards as the accuracy of information decides the efficiency of governance and oversight.
2. Accountability of adaptable risk assessment through employment of appropriate controls and mitigation measures by the senior management. The placement of control systems to respond to risks is integral to the effectiveness of AML compliance programs.

Two Fundamental Controls for Strengthened AML Compliance

Segregated into two major categories, AML compliance controls are of preventive and detective nature. These controls are formed in the shape of systematic procedures and policies to cater money laundering and financing of terrorism.

Preventive controls are measures that prevent individuals from exploiting any service or product your business offers. Such controls can be maintained through setting transaction limitations or any service provision dependent on approval from senior management. Preventive controls are integral to efficient compliance programs which must be strengthened with detective controls.

Detective controls, on the other hand, enable businesses to monitor activities and customers being onboarded in the financial system. Required by the regulatory and enforcement authorities, businesses are obliged to ensure due diligence which comes with detecting and verifying every client, transaction, and business partner for their association with ML/TF activities. The employment of AML screening services into detective controls ensures the effectiveness of AML/CFT risk management and hence compliance adherence.

Cruciality of compliance and sense of urgency to stem financial exploitation by money launderers and financiers of terrorism requires consolidated compliance solutions, which are not only technology driven but ensures human intelligence. It’s where AML Watcher comes with its compliance partnership and ensures easy, efficient, and advanced compliance solutions.

Connect with us to manage and mitigate your compliance risks tailored to your business needs.