The Development of Risk Based Policies and Procedures

For the management of your compliance the context in which you apply the legislation within your own business is immensely important. Risks, and therefore policies and procedures, are expected to vary from business to busines, from the simple and low key for small businesses with a long-established, stable client base, increasing in detail and complexity as businesses grow in size and customers are involved in transactions that are more complicated.

The government has accepted that a natural consequence of the risk sensitive approach is that it will not detect or deter all money launderers and that a zero tolerance approach would be over-burdensome for businesses. If you apply the Regulations reasonably in the context of your own practice, you will have nothing to fear from the law enforcement agencies or your supervisory authority, even if you inadvertently act for money launderers or terrorist financiers.

The need for a risk assessment
To apply the Regulations on a risk-sensitive basis, as required, you must:

  • have a reasonable estimate of the risks to which your business is exposed
  • establish and maintain appropriate and proportionate policies and procedures to manage those risks.

There no need to eliminate risk, merely to reduce them to a tolerable level. What is ‘tolerable’ is a matter of balance between opportunity, likelihood and impact

What are the risks?
When we talk about risk, we are describing a combination of three things:
1. Opportunity: – opportunity for a client to exploit your services for money laundering or terrorist financing related activity. Opportunity exists irrespective of the honesty of the particular client. High cash businesses, complex transactions and corporate structures provide heightened opportunity.
2. Likelihood: – of the opportunity being exploited. Your assessment of the opportunity and your client is relevant. A client you know is less likely to exploit the opportunity than a client you do not know; a transaction that does not appear to have an economic purpose represents a heightened likelihood of being a money laundering or terrorist financing transaction.
3. Impact: – the likely negative impact upon society should the opportunity be exploited. It is suggested that the dealing in proceeds from non-accountancy-related crime would tend to have greater negative impact upon society than accountancy ‘irregularities’, as it is likely to be linked to other criminal activity and contribute to the profitability of organised crime.

The source of risk
The risks to your practice may come from a variety of sources, such as:

  • the services you provide;
  • your client base
  • individual clients
  • geographic location
  • your existing management policies and procedures

Your services
Some regulated services lend themselves more readily to exploitation for money laundering and terrorist financing purposes than others. For example, some services can be used to obscure ownership or the source of property, such as:

  • services in relation to complex transactions, particularly involving layering
  • setting up trusts to distribute funds
  • setting up corporate structures, particularly where ownership is opaque

Other services may be used to aid the movement of illicit funds, such as those involving:

  • payments to or from third parties
  • payments made in cash or by electronic transfer
    cross-border dimensions.

Your customer base
The make up of your customer base will indicate the general risk that your busines faces in terms of opportunity and likelihood of exploitation, and should determine the general rigour of your policies and procedures. For example:

  • Stable, long-term, customers will present a lower risk than new customers. This is not because long-term customers have less opportunity to launder money but because you have had more time to ‘know your client’. This is more about the likelihood of money laundering than opportunity. There is always the risk that a new customer is looking for a new business to exploit or engage in short-term business activity to ‘clean’ criminal property.
  • Individual clients are generally perceived to present a lower risk than legal entities. This is because the structures of legal entities (companies, trusts, etc) lend themselves to obscuring the real source, ownership and control of property.
  • Some trusts are particularly susceptible to use for obscuring the source and control of property;
  • Politically exposed persons (PEPs) are always seen as presenting a heightened risk.
  • Customers who you do not meet face to face for identification purposes are also always seen as presenting a heightened risk.
  • Customers with an affiliation to countries with high levels of corruption or from which terrorist organisations are know to operate are always seen as presenting a heightened risk.

Individual customers
While a review of your customer base can inform you about general risk level faced by your business, individual customers can present specific risks, to which you must respond. As stated above, PEPs, nonface-to-face clients and clients from certain countries are always high risk but clients outside these categories can also present a high risk, such as those who:

  • engage in transactions with no apparent economic rationale
  • operating through complex and opaque structures
  • deal with third parties who are not readily identifiable or accountable for their participation.
  • The opposite of this is that some individual customers are always seen as low risk

Geographic location
Geographic location is generally accepted as a contributing factor to the level of risk. For example:

  • Customers with overseas connections, whether they are concerned in an entity’s ownership or are involved in a transaction, may present an increased risk of money laundering or terrorist financing.
  • Customers from an area renowned for high levels of crime or certain types of crime, may present an increased likelihood that their transactions are connected with such crime, particularly if they are not local to your practice.
  • Customers from a distant location may raise questions of why they have come to you. They could be going from accountant to accountant until they find one they can exploit or until they perfect their CDD responses.

Your existing management policies and procedures
Your own management policies (or lack of them) could present opportunities for unscrupulous clients to exploit your services to deal in the proceeds of crime or direct funds to terrorist causes. The need for appropriate management of the accountant/client relationship is expressed in the regulations as ‘internal control’