What’s meant by inherent risk?

‘Inherent risk’ is the level of money laundering, terrorist financing or proliferation financing risk that’s presented by the nature of your business and its clients before you put any controls in place. It’s measured before your AML policies, controls and procedures (PCPs) kick in. Any risk that’s left after you have put in place risk mitigations is known as ‘residual risk’

Inherent risk is identified by your business risk assessments (both your business-wide assessment and the assessments of relevant service lines) and your client risk assessments.

Your business risk assessments build the overall picture of the risks your business is exposed to across its services, delivery channels, geographies and client base. Then when you assess a client or transaction, you need to assess what risk, if any, they add to your business-wide picture. 

As your business and client changes, your inherent risk will change too. It’s vital that you update your business risk assessments, AML PCPs and client risk assessments in line with these changes. 

Inherent risk in your business risk assessment

Your business-wide risk assessment is where you begin to investigate the inherent risk of your business. This means considering risks such as:

Client risk: Who are your intended clients and do they include politically exposed persons, clients from higher-risk jurisdictions or clients with complex ownership structures?

Geographic risk: What countries and territories are your business and your clients connected to?

Product and service risk: Are the services you offer more or less vulnerable to misuse for money laundering, terrorist financing or proliferation financing?

Delivery channel risk: How are your services delivered? For example, do you deal with clients face to face or remotely?

The picture of your inherent risk that emerges from this assessment then needs to inform your AML PCPs. If your business has a high inherent risk, you’ll need different AML PCPs to a business with lower inherent risk.

Inherent risk in your client risk assessments

At a client level, the inherent risk of dealing with that client needs to be assessed before you can decide what level of due diligence to apply. A client’s inherent risk is shaped by factors including:

• Who they are and whether they fall into a higher-risk category such as a politically exposed person (PEP) or a client with links to a high-risk jurisdiction
• The nature of their business or an individual transaction
• The ownership and control structure of any corporate client (including whether beneficial ownership is clear or complex)
• The results of any source of funds and source of wealth checks you have done
• Any information revealed during your adverse media screening

A client with elevated inherent risk will increase your business’ overall inherent risk. It should also trigger your enhanced due diligence process. 

Why inherent risk has to come first

The risk-based approach only works if your assessment of your business’ inherent risk is honest and tailored to its own services, delivery channels, geographies and client. If you underestimate your inherent risk, your AML PCPs won’t be enough to prove effectiveness in an inspection or protect your firm from financial crime.

Supervisors reviewing your risk assessments will look at whether your decision on inherent risk is reasonable, given what you know about your clients and your business. Risk assessment that rate everything as low when that’s clearly not the case will not hold up to scrutiny.

AMLCC’s business risk assessments and client risk assessment tools are structured around inherent risk. They’re designed to guide your team through the factors that matter and producing a documented, evidenced assessment that reflects the real risk your firm and your clients present.