The Dirty Money Series #6: Conducting a risk assessment

Posted by Dacreed on May 27, 2019 1:29:00 PM

Blog #6The foundation of a business’ AML/CFT (anti-money laundering and countering financing of terrorism) regime is an adequate and effective risk assessment. Businesses covered by the AML/CFT regime (known as reporting entities) have to assess the risk of money laundering and financing of terrorism they may reasonably expect to face in the course of business. This is called a risk assessment and must be done before creating an AML/CFT compliance programme.

It involves identifying the inherent risks faced by your business. ‘Inherent’ risks are those that exist before the controls required by the AML/CFT regime are put into place in your business.

There is no template for making the risk assessment. The AML/CFT regime is risk-based so the risk assessment developed by each business should be specific to the characteristics of that business and its clientele. Compliance with the regime can’t be reduced to a formula and there is no substitute for having a proper understanding of the business. In other words, a business owner knows more about their business than anyone else and is best placed to assess the inherent risks and vulnerabilities it faces.

When you assess how the business may be vulnerable to ML/TF risks, you must consider all of the following:

  • Nature, size and complexity of the business, eg a business that conducts complex transactions across international jurisdictions could offer greater opportunities to money launderers than a purely domestic business
  • Products and services offered, eg does the product/service allow for the movement of funds across borders? Does the product/service commonly involve receipt or payment in cash?
  • The way products and services are delivered, eg are services delivered face to face, or via the internet, or the post?
  • Types of customers the business has, eg are they a cash-intensive business? Are they a non-profit organisation?
  • Countries dealt with in the ordinary course of business, eg do they have effective AML/CFT measures? Do they have high levels of organised crime, bribery and corruption?
  • Institutions dealt with in the ordinary course of business, eg what is the nature of their industry or their association? What are the types of business relationships that they have?

The risks the business faces in relation to each of these criteria must be identified and assessed, i.e. how do all these criteria contribute to or mitigate the business’s risk of being exposed to money laundering or financing of terrorism?

The risk assessment should be proportional to the size of the business and the risks it faces, eg a sole operator’s risk assessment isn’t going to be large. The more complex and large the business is, the more detailed and in depth the risk assessment will need to be.

When going through this exercise business owners are required to use the sector risk assessment and compare the information it contains with what they know about their own business so that they can narrow down what their own risks might be, eg a sector may have a medium-high risk assessment if there is a wide geographic spread and easy access of services. However, even if the business is a member of a sector with a high risk assessment, it doesn’t necessarily mean the business has a high ML/FT risk; it means the business must have a close look at the extent to which the business is exposed to specific vulnerabilities

A risk assessment is not a casual thing; it must be recorded in a formal risk assessment document. Nor is it a one-off exercise; a risk assessment is a living process. The document must therefore state how your business is going to keep the risk assessment current.


A comprehensive risk assessment guideline has been produced by the FMA, Reserve Bank, and Department of Internal Affairs. 


Next in the Dirty Money Series: Preparing the AML/CFT programme


Advance quiz

Is it possible for a reporting entity to breach the AML/CFT Act even if there is no evidence that any money laundering or financing of terrorism occurred?


Hint: The Act is designed to ensure each reporting entity establishes processes and procedures to deter money laundering and the financing of terrorism.


Topics: Insider, Business Management, AML/CFT

Proactively train your staff in AML/CFT

With the Dacreed online compliance training system you can:

  • assess your team’s knowledge, application and retention of AML/CFT training
  • keep track of your team’s completion dates and completion rates
  • tailor the training for different employees depending on their roles and tasks