How do I determine and substantiate an AML risk profile?

How do I determine the risk profile?

I am regularly asked this question. Within AML, we know a low, medium and high risk profile. You choose your risk profile and the type of follow-up research based on the information provided by client. Below is a brief overview of the three types of risk profile.

Low 

• Listed company (wholly owned subsidiary)
• Government agency
• Regulated party, such as an investment fund

A listed company or its wholly owned subsidiary is supervised in the same way as a government agency or other regulated party and is classified as having a low risk profile.

Medium  
This is the starting point for assessing money laundering risks. Every client has a medium risk profile by default until you prove otherwise. Based on various factors, you determine whether this is correct.

High
You determine a high risk profile based on:

• High-risk country
• PEP
• Company structure
• Activity/industry
• Nature of transaction/service

What do I write down to explain the risk profile?

Sometimes we see a lawyer's note in a file stating, "Low risk, because I've known this client my whole life." Unfortunately, this is not a justification for compliance. Our advice is, make the balancing and final assessment only when you have gathered all the information and you have a complete picture of your client. What you write down next is a mini summary of your observation. You choose the risk profile and describe why.

We work as compliance officers in several companies. When we assess files, we write, in the case of a medium risk profile:

• Which country the client is based in;
• Whether the corporate structure is transparent;
• In which country the UBO resides;
• Whether any matches follow from the screenings and;
• Whether any other particularities have been identified in relation to the services for the client and the activity or sector/industry in which the client operates. 

It is basically a short list of possible risks and whether any particularities have been identified. In an earlier article, we wrote what exactly you screen and in another article you can read about what documents you need for identification and verification.

Below are three other examples of a statement for each risk profile:

• Low risk profile

''Client is wholly owned subsidiary of a US listed company. The stock exchange is SEC regulated. No other peculiarities were noted with regard to client's activity and services.''

• Medium risk profile

''Client is established/residing in the Netherlands. The representative also UBO is resident in the Netherlands and has Dutch nationality. The shareholder structure is not complex and fully transparent. No other peculiarities were noted with regard to client's activity and services.''

• High risk profile

''Client is based/living in a high-risk country. The shareholder structure is complex, but the construction of the structure can be logically explained. No other peculiarities have been noted regarding the client's activity and services.''

In short, there is no need to write an essay. However, do give a moment's attention to the countries involved, the UBOs, the corporate structure, whether any hits come from the screening and any other peculiarities such as whether the services are appropriate to the sector/industry in which the client operates.

What research do I carry out based on the risk profile?

Once you have determined, justified and recorded the risk profile for your client, you take the next step: the investigation. The type of research you conduct usually depends on the risk profile.

Simplified research 
You perform simplified research at a listed company (wholly-owned subsidiary) or government agency/regulated party.

Regular research
This type of investigation is the starting point for medium risk profiles. When evaluating files, write in a regular investigation that there is no reason to conduct a simplified/enhanced investigation.

Enhanced research
You carry out enhanced due diligence when the risk profile is high. In this investigation, you look at the origin of the assets, the shareholder structure, points of attention regarding the resources of the transaction, etc. If you tick the box 'enhanced screening' in RegLab, additional questions will automatically follow. Based on your answers, you will be guided through various workflows. 

Low profile, still enhanced research
Sometimes, a client with a low risk profile may still require enhanced due diligence. For instance, if the client wants to establish a company in a high-risk country. The risk profile may then still be set at low, while you have to do an enhanced scrutiny because a high-risk country is involved in the transaction. This will not happen often in practice, yet we would like to make you aware of the exceptions we encounter.

What do you write down for each type of research? Practical examples:

You also write down the type of research and your reasoning and outcome to it. Here are a few examples.

• Simplified research

''Client is wholly owned subsidiary of a US listed company. The stock exchange is SEC regulated. Therefore, no UBO is raised and simplified research is appropriate.''
 

• Regular research

''There is no reason to conduct simplified/enhanced research.''
 

• Enhanced research 

''Client is based in a high-risk country and has an international structure. The reason for the construction of the complex shareholder structure is known and plausible. Enhanced research is therefore considered appropriate.''