bronID assesses six risk categories to perform the ML/TF risk assessment as apart of Part A of the AML/CTF Act obligations.
The risk environment your designated service is exposed to. For example, digital currency exchanges are more vulnerable to risks related to cybercrime and hacking.
The type of product or service provided, for example, exchanges versus banking and what is the justified risk of each of these products independently and as a suite. Once you release a product which requires reporting to AUSTRAC, you are inviting regulatory risk for non-compliance in addition to the business risk.
A complete list of the various product/service offerings should be compiled and assessed for their vulnerability to money laundering and terrorist financing.
How you categorise your customers into low/medium/high risk-buckets and what you do with the sensitive PII information a customer shares during the KYC verification process are important processes to outline when conducting an AML risk assessment, identifying your ML/TF risk and building your AML program.
it is important to do PEP and Sanctions checks for each customer. This should also influence which risk bucket you place each customer in. Customer identification influencing the risk is explored further in Know Your Customer.
These are the risks of ML/TF your internal business activities create. For example, assessing the risk the employees who are performing KYC verifications is one aspect of operations risk. Operation risk is also influenced by what internal policies and procedures are in place to perform AML/CTF controls.
The method of delivery of your service. Whether that be face to face, over the counter (OTC), through an online market, web application or app. While face to face offers less risk to facilitate money laundering than digitally, most financial services today are online services.
An AML program is able to identify, categorise and attribute an ML/TF risk score of providing services within a particular jurisdiction. These being, low (requires monitoring), medium (concern) and high (the primary concern). To determine these factors you will need to asses the political, economic, legal, cultural and government structures and standards in each country.
There are a variety of international organisations which assess the jurisdiction risk of ML/TF. Some focus on the countries overall risk others provide information on assessing the risk posed by PEPs and sanctions pose within these jurisdictions.
There are a few factors you should consider when assessing your jurisdiction risk when providing service internationally.