AML CTF Risk Assessment

Lawyers – The first step of AML/CFT compliance is understanding your ML/TF risks

This article by Neil was published in November issue of the New Zealand Law Society’s, Law Talk magazine, which is sent to every New Zealand-based lawyer and others involved in the legal services industry.

One of the main aims of New Zealand’s AML/CFT regime is the identification and management of money laundering (ML) and terrorist financing (TF) risks. The first recommendation within the Financial Action Task Force (FATF) standards is a requirement to understand ML/TF risks at a national and regulated entity level. This indicates the importance that the FATF places on understanding ML/TF risk, and its importance to AML/CFT compliance.

It has been internationally recognised since 2003 that Designated Non-Financial Businesses and Professions (DNFBPs), including lawyers and the legal profession, are vulnerable to being used to facilitate money laundering and therefore should be brought into AML/CFT regimes, if they offer vulnerable services such as the creation and management of companies and other legal arrangements.

There is clear evidence that “gatekeepers’, including the legal profession, can play a role in money laundering, terrorist financing, and the commission of other criminal offences. The ability of lawyers, and other types of gatekeeper, to unwittingly facilitate criminal activity is also high on inter- national and domestic political agendas, with tax avoidance and evasion schemes such as the Panama Papers highlighting particular ML/TF risks and vulnerabilities. Against this background, in August 2017 New Zealand moved to revise its AML/CFT regimes to fully include DNFBPs, including lawyers offering a number of services. This has resulted in lawyers being brought into the AML/CFT regime from July 2018.

The Department of Internal Affairs (DIA), who will regulate the legal profession for AML/CFT, is due to provide guidance on  what compliance means for lawyers before Christmas 2017, and as a result lawyers will have around six months to establish compliance regimes.

This is not a long timeframe given the preparation work required, and given the short compliance timeframe for lawyers set by the revised AML/CFT Act, lawyers covered should start as soon as possible in getting to grips with the obligations placed upon them by the AML/CFT Act.

With a focus of the AML/CFT regime on managing ML/TF risk, one of the foundational components of AML/CFT compliance that lawyers and other DNFBPs will need to address is understanding the money laundering and terrorist financing risks they face. Understanding the risks that a business faces will inform the type of AML/ CFT programme required and the extent of efforts necessary to achieve compliance. It is unrealistic that lawyers offering services that bring them into the AML/ CFT regime would operate in a completely risk-free environment in terms of ML/TF. Therefore, it is important that lawyers identify the ML/TF risks they may reasonably face, then assess the optimal approach to reduce and manage those risks.

Both within New Zealand’s AML/CFT regime, and internationally, are defined a number of ML/TF risk dimensions that should be included as part of a ML/ TF risk assessment. It is important that lawyers and other DNFBPs understand these dimensions and ensure that they are incorporated into their ML/TF risk assessment.

ML/TF customer risk is the risk or vulnerability that customers may be involved in money laundering or terrorist financing activities. ML/TF customer risk is derived from the nature of a regulated business’ customers, namely the customer location, what business activities they are engaged in, the customer’s legal form, and whether they are a Politically Exposed Person (PEP). ML/TF business risk is the risk that business operations may be vulnerable to money laundering or terrorist financing. ML/TF business risk is significantly influenced by where the business operations are located, whether they use third parties to operate AML/CFT controls and processes, and the ML/TF risks resulting from employees.

ML/TF product and service risk is deter- mined by an assessment of how much functionality and capability  the  product or service allows the customer or others, including the ability to deposit/withdraw funds (including cash), transact remotely, transact with overseas parties, and include third parties in the transaction, or provide anonymity  to  the customer.

ML/TF risk is also significantly influenced by the nature and/or attributes of the channels used to deliver products and services to customers. ML/TF channel risk is influenced by whether the delivery of a service involves face to face contact with the customer, as face to face contact limits the ability for customer anonymity and facilitates establishing whether the customer is who they are claiming to be, as well as the use of third parties by the regulated entity as part of the delivery chain of a service.

Additionally, ML/TF country risk is the assessment of a country’s or jurisdiction’s vulnerability to money laundering, terrorism financing, and targeted financial sanctions. Country risk is an important factor within customer, business, and channel risk as each of these risk dimensions contains a jurisdictional component. In addition to the above risk dimensions,

it is also important that regulated entities, including lawyers, understand the external and internal environments in which they operate, and how this can contribute to their ML/TF risks.

The ML/TF risk assessment should therefore also include an assessment of vulnerability to predicate crimes. Predicate crimes are the crimes identified by the Financial Action Task Force (FATF) as capable of generating criminal proceeds and criminally derived assets.

New Zealand has its own unique vulnerability to predicate offences which are captured in the threats identified by its National ML/TF Risk Assessment. New Zealand’s vulnerability should be incorporated by regulated entities into their own ML/TF risk assessments. A regulated entity’s vulnerability to predicate crimes may be because a customer is involved in the commission of one or more predicate crimes and/or is seeking to use products and services to launder the proceeds of a predicate crime.

A regulated entity’s assessment of its ML/TF environmental risks should also include the internal vulnerability to being involved in money laundering, terrorist financing, or breaching targeted financial sanctions.

Like all other assessments of risk, to comply with ISO 31000 standards, ML/TF risk assessment should assess the inherent risk and the residual risk. Inherent ML/TF risk is the outcome of an assessment of the likelihood of a risk occurring and the impact of the risk, were it to occur before controls applied to mitigate the risk have been considered; and residual ML/TF risk is the outcome of an assessment of the identified inherent risk after the existence and operational effectiveness of controls to mitigate that risk have been taken into consideration.

Once ML/TF risks have been assessed, the next step for regulated entities is to develop mitigating systems, processes and controls to effectively manage ML/ TF risks. These systems, processes and controls should be set out in the AML/CFT Programme and should be appropriate and proportionate to the ML/TF risk faced.

By assessing their ML/TF risk, lawyers will ultimately be able to ensure that their response is proportionate and therefore does not over-burden the business with unnecessary or inappropriate compliance activity. Undertaking a ML/TF risk assessment is therefore a vital first step for lawyers, and other DNFBPs, in preparing for compliance with obligations under the AML/CFT Act.