Understanding AML Risk Assessments and Compliance Programmes

If your business is captured under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT Act) you are required to assess your exposure to financial crime and implement effective mitigation strategies. Two critical documents underpin this: the risk assessment and the compliance programme.

What is a Risk Assessment and Compliance Programme?

A risk assessment identifies the money laundering and terrorism financing risks your business is exposed to. It must consider things like the nature, size, and complexity of your operations, the products and services offered, the types of customers you deal with, how services are delivered, and which countries or institutions are involved.

A robust assessment should:

• Cover all lines of business
• Analyse risk across key categories such as customers, geography, delivery channels, and services
• Use a logical and justifiable methodology to assign risk levels
• Reflect the actual operations and scale of the business

The compliance programme details how your business will manage and mitigate the risks identified in the risk assessment. It outlines the policies, procedures, and controls that are to be followed. The programme must be both adequate (meeting the Act's requirements) and effective (functioning in practice).

Common Risk Assessment pitfalls

Regulators have highlighted several issues frequently found in risk assessments:

• Incomplete coverage of business units or activities
• Missing or vague methodology for risk measurement
• Lack of detail on business nature or complexity
• Risk ratings not supported by reasoning
• No schedule for reviews or updates
• Misalignment with guidance from Supervisors
• Poor documentation or absence of version control
  
  

Common Compliance Programme issues

Deficiencies in compliance programmes can expose businesses to enforcement action. Common concerns include:

• Missing version control tables
• No formal approval by the Board or senior management
• Disconnection between documented procedures and actual practice
• Insufficient linkage to Supervisors’ guidance
• Controls that are overly generic or lack specificity
• Reliance on external documents not appropriately referenced
• Failure to structure content according to policies, procedures, and controls (PPCs)
  
  

What the Compliance Programme covers

Your compliance programme must provide detailed, practical processes for:

• Staff training
• Staff vetting and hiring
• Customer Due Diligence (CDD)
• Account and transaction monitoring
• Suspicious activity and prescribed transaction reporting
• Record keeping and data security
• Ongoing oversight and governance of the AML programme

Why these documents are required

If your business is a reporting entity under the AML/CFT Act, having a risk assessment and compliance programme is not optional — it is a legal obligation. Without a risk assessment, you cannot clearly understand your exposure. Without a compliance programme, you have no documented pathway to reduce that exposure.

The DIA stated in its 2020 Regulatory Findings Report:

“We will continue to focus our supervision on whether or not a business understands its money laundering and financing terrorism risks. Risk assessments must be kept current, reviewed and updated at appropriate times to reflect changes in the business, with version-controlled documentation showing the alterations.”

How to maintain relevance and accuracy

These documents are not static. A risk assessment and compliance programme must be updated when changes occur, e.g.:

• The business expands into new service areas
• New customer segments are targeted
• A business introduces new products
• Company structure or operations change
• Supervisors issue new guidance
• Legislation is amended

How often should they be updated?

At a minimum, your risk assessment and compliance programme should be reviewed annually, or when changes occur (see above).

Version control is critical. You must retain previous versions and clearly document changes. Regulators and auditors may request to see how your approach has evolved over time.