What’s meant by residual risk?
Director and Founder of AMLCC and AMLCC Consult
‘Residual risk’ is the level of money laundering, terrorist financing or proliferation financing risk your business faces after you have effectively applied your AML policies, controls and procedures (PCPs) which detail your risk mitigation steps.
To be able to calculate your residual risk, you first need to have an accurate picture of your inherent risk. This is the risk presented by your business, services, delivery channels, the geographies you operate in and your clients, before any controls are applied.
Once you understand these risks, you can then develop AML PCPs that mitigate them.
If you haven’t read our guide to inherent risk, you should start there to understand the full process of assessing your business’ risk.
What affects your residual risk?
Residual risk can change depending on how well your AML PCPs address the inherent risks your business faces and how well those PCPs are applied by staff across your business.
FATF’s risk-based approach guidance identifies some of the common weaknesses in the day-to-day practices of regulated businesses that make residual risk higher than risk assessments might suggest.
Client identity verification
Identify verification means confirming who your client is and that they are who they say they are. If the identity of the person or entity you’re dealing with hasn’t been properly established and verified, every decision you make from that point is based on an uncertain foundation.
Beneficial ownership
The ultimate beneficial owner of your client’s business can easily be obscured through nominee arrangements and layered ownership structure. You need to unpick these structures and identify the natural person behind them to have an accurate idea of inherent and residual risk.
Ongoing monitoring
Risk evolves over time, as your client’s circumstances or nature of business changes. FATF’s Recommendation 10 requires regulated businesses to keep client documents, data and information up to date. This ongoing monitoring means you’re aware of any changes and can update your risk assessments and AML PCPs to mitigate them.
Risk assessment documentation
Business and client risk assessments that exist but don’t accurately document the inherent risk and the reasoning behind your risk rating isn’t enough. Inspectors and law enforcement expect you to show why your risk decisions about a client were made.
Complacency in established relationships
Residual risk isn’t ever lower because you have a long-standing relationship with a client. If anything, it’s higher because many regulated businesses stop updating their risk assessments and ongoing monitoring because they ‘know the client’.
What happens if your residual risk is high?
There will be clients and situations where residual risk remains high, even after you have applied your AML PCPs. This doesn’t mean you can’t do business with that client. You just need to have the correct levels of mitigations in place and make sure they’re being used effectively.
Higher residual risk should trigger some form of enhanced due diligence (EDD). This might mean:
- obtaining additional information on the client’s source of funds or source of wealth;
- requiring senior management approval before proceeding with the relationship or transaction;
- increasing the frequency of ongoing monitoring reviews;
- seeking independent verification of information the client has provided;
- applying closer scrutiny to the purpose and intended nature of transactions.
FATF makes clear that enhanced due diligence measures should be applied where higher risk is identified. And that those measures should be proportionate to the level of risk.
Why you must document your residual risk
Simply assessing residual risk isn’t enough. Your records need to show the reasoning behind your risk decisions.
When a supervisor reviews your risk assessments, they’re asking if the residual risk you’ve determined is valid given the inherent risk you identified. A risk assessment that shows significant risk factors but has arrived at a low residual risk rating will be questioned if there’s no reasoning to show your decision.
The standard you’re aiming for is a record that gives the full picture of your thinking: “This is the inherent risk I identified, here is what I did about it, and here is the residual risk.”
AMLCC uses your business and client risk assessments to calculate your inherent and residual risk, and produces the evidence you need to show your supervisors any decisions made as a result.
What others have said
“We had the man from the ICAEW here yesterday to carry out a QAD practice review. We got a clean bill of health – not a single action point…That is in no small measure due to AMLCC so I just wanted to say ‘thank you’”
“Thank you for such a perfect and informative [solution]. You have given me a clear direction for my AML training and CPD.”
“I just wanted to say ‘thank you’ to you, Richard, and all the team at AMLCC for providing a service that really does minimise the burden of AML compliance.”
“What a refreshing pleasure working with a company who actually listens to the feedback from their customers and communicates with them!”
“Your team they have been excellent from the moment Fiona did a demo for me with only 15 minutes notice, and thoroughly going through the AMLCC product, answering the many questions I had! It was at this point at which I made up my mind this is the sort of business I want to work with for my AML.”
Making compliance easier
