The recently amended Act of 1 March 2018 on counteracting of money laundering and financing of terrorism (“AML Act”) requires “obliged institutions” to carry out the so-called risk assessment (Article 27.1 of AML Act). AML and CFT risks need to be identified and assessed in relation to an organisation’s activity, including risk factors related to customers, countries/geographies, products, services, transactions and distribution channels. The deadline for exercising the first risk assessment is 13 January 2019.
First and foremost, every obliged institution needs to analyse how fraudsters are likely to take advantage of its products, services, solutions or internal resources, such as IT systems or the staff, for the offender’s unlawful gain – or to put it simply: to assess the risk. Such “obliged institution” are, for example, a bank, a savings union (SKOK), a domestic/low-level payment processor, an e-money institution, a payment agent, a settlement agent, an investment firm, a trust bank, a regulated market operator, an investment fund (and its manager), an alternative investment company (and its manager), an insurance company, an insurance broker, Central Securities Depository of Poland (KDPW), commercial currency exchange agents and other currency exchange providers/intermediaries (including for virtual currencies), notaries (certain notarised transactions only), lawyers, tax advisers (limited extent), providers of services involving entity incorporation, corporate body representation, registered address/seat administration, etc., accounting companies, real estate brokers, postal operators, hazard operators, foundation, associations and businesses receiving payments of EUR 10,000 or more, providers of post box services, cash loan providers, etc. Next, the obliged institution needs to analyse the customer, geographical and other factors specified in Article 27.1 of the AML Act and follow up with an assessment system. The system can be based on a points scale where a low score would imply a low risk and a high score a high risk of a factor. When points are summed up for all factors, the total score will provide guidance on how to handle a given case.
Such fundamental assessment is a good starting point for populating a list of red flags triggers, each being a specific modifier of the total score and the associated method of handling a given case. One of such triggers would be a customer who is a high-profile public official (PEP).
Let’s take a simple example of a payment agency (“Agency”) which forwards private payments for municipal utilities, housing fees, etc. The risk assessment needs to reflect the nature and the size of the organisation as bigger organisations that run more complex (more AML/CFT risky) activities will require more advanced assessment models.
Initially, the Agency needs to identify risks related to its business, including each of the factors specified in Article 27 of AML Act: customer pool, countries/geographies, products, services, transactions and distribution channels. The customer risk can be classified along different lines based on, for example, the entity originating a transaction (individual, a legal entity, ane entity without legal personality) or the value/frequency of transactions in the case of private customers. The geographical factor takes into account the places where an organisation provides its services, especially high-risk countries or international ratings (for example corruption). Product, services, transactions and distribution channels can be grouped together in the case of higher quantities, for example services provided in customer service offices vs online/app, transfers to verified mass recipients vs an unknown recipient, payments made in cash vs cards, etc. When determining such divisions one needs to demonstrate a high degree of ingenuity in order to come up with who and how could misuse the organisation for fraudulent purposes. Inspiration can be sought in many public sources, such as FATF publications.
Next, the Agency evaluates the identified risk factors and on a points scale is an optimal solution for that purpose. As every situation builds up from several factors a scale needs to be carefully developed to avoid gaps. For example, if an overestimated number of risk points is allocated to online transactions with foundations, then such unbalanced scale will lead to a situation where an online donation from a Scandinavian state would be considered more risky than cash handed over by a Somalian. It is hence recommended to follow the scenario analysis method to avoid such gaps. In this method, certain combinations of pre-defined factors are grouped into scenarios and allocated to an overall risk score.
The points scaled system is the foundation behind the risk assessment. Next, a specific handling method is assigned to each score level. A low score will be associated with lower intensity of financial safeguards and a higher one with enhanced security. More extreme scores could result in refusal to enter into legal transactions, or even a one-time legal event with a given party, as required under Article 41. 1 of AML Act.
The next step is the super-layer of red flag triggers which modify the basic risk assessment score. As each red flag is a very specific modifier of the total score, it can also change the actual method of handling a given case. In the case of the Agency, such list of red flags could include refused disclosure of the actual beneficiary details, attempted use of a forged ID, a suspiciously looking pay card, a transaction in Poland involving a very rare currency, etc. One of the obvious triggers should be engagement of an exposed political official – a case expressly defined in AML Act as requiring a special handling. However, it does not mean that every PEP would be equally subject to special measures of financial security, as is the case of a court of appeals judge versus an Iranian ambassador, with the latter implying greater risk than the former.
The complete risk assessment model should be once more reviewed using the scenario analysis method and then implemented in the organisation. The resulting report can be paper-based or electronic. It always requires approval from a competent corporate body in the organisation (for example, a management board in a limited liability company or a joint-stock company). The organisation will forward such reports whenever requested by the General Inspector of Financial Information (GIIF). Scores should be updated “as needed” but not less than once every two years. Every subsequent update will reflect the national risk assessment report and other reports from the European Commission which however have not been available yet (the EC reports will be based on domestic risk assessments). What do updates “as needed” mean? The assessed risk score needs to be updated especially when the underlying risk factors applicable to customers, countries/geographies, products, services, transactions or distribution channels change or the above domestic/EC risk score is modified.
As explained above, the risk assessment exercise can range from a very simple output in a Excel table, for example, up to high-complexity multi-source systems in the case of banking institutions – depending on the size and nature of the business. JustComply provides advisory related to risk assessment procedures, end-to-end implementation of AML/CFT systems, and follow-up audits of systems already in place. We also offer a range of innovative AML e-learning courses.