Anti-Money Laundering (AML) Risk Assessment Process

Anti-Money Laundering
Risk Assessment Process
August 2016

A robust risk assessment process is central to maintaining a strong Anti-Money Laundering (AML) compliance
program. The assessment should provide a comprehensive analysis of AML risks associated with the products and
services offered by the lines of business, and act as an aggregated estimate of the AML risks across the enterprise.
• Banks are periodically required to evaluate the AML risks of their individual business units and across the
enterprise. The objective of the risk assessment is to determine the risk profile of the bank and evaluate the
adequacy of the controls in place to mitigate risks. The risk assessment should identify areas of vulnerability to
money laundering, identify weaknesses or gaps in the existing control environment, support informed
decisions on risk appetite, and highlight the bank’s AML risk and control environment for all key stakeholders,
including senior management and regulators.
• The risk assessment is bank-specific with particular risk-factors and categories unique to a bank’s products,
services, customers, entities and geographic locations. Banks should favour a sustainable, effective, and cost
efficient AML risk assessment process that leverages a data-driven approach to risk scoring. A mature risk
assessment process should be executed cyclically, and when triggered by a significant event, using a Factory
Model to decrease costs, increase efficiency, and heighten delivery certainty through the use of dedicated
resources.
• A mature risk assessment process evolves with the organization, increasing in impact, sophistication and
maturity. Financial institutions should take a pragmatic approach to implementing a high-performing
enterprise-wide risk assessment program and approach.
• To develop an enterprise-wide risk assessment program, a structured approach is encouraged so the
appropriate rigor is practiced to identify, document and validate AML risks and controls. As an output from the
risk assessment process, a control testing approach should be developed to monitor AML risks.
Executive summary
Copyright © 2016 Accenture All rights reserved. 2

An AML risk assessment identifies (i) a bank’s inherent risks across a range of categories, (ii) gaps and the level of
risk that is acceptable and in line with the bank’s risk appetite, and (iii) the required controls to mitigate risk.
What is an AML risk assessment?
Identify Mitigate
AML Risk Assessment
Analyze
Products
Geographies Transactions
Entities
Define and agree on the risk appetite
and the risk factors being assessed.
Identify specific products, services,
customers, entities, and geographic
locations unique to the bank and that
should be appropriately weighted to
the bank’s business model.
Communicate and report findings on
identified issues.
Formulate action plans to resolve issues.
Implement or strengthen controls to
avoid, mitigate or reduce the inherent
risks faced by the firm.
Customers
Services
Assess
Determine the inherent risk to the firm through
detailed analysis of the data obtained on the
specific risk factors.
Augment findings on inherent risk with outputs
from internal audits and regulatory exams.
Assess the data to determine whether sufficient
controls exist to address the inherent risk of the
firm, thereby aligning with its risk appetite.
Define
Banks are required to periodically determine the AML risks of their individual business units and, when banks have a consolidated
AML compliance program, this needs to be done enterprise-wide. A bank’s AML compliance program should be structured and
enhanced to adequately address its risk profile and align to its risk appetite, as identified through the risk assessment. Appropriate
policies, procedures, standards and processes to monitor and control AML risks should be developed or updated based upon the
outputs of the risk assessment.

A mature AML risk assessment program helps provide banks with the opportunity to identify and plan for
emerging risks and changes in the bank’s risk profile. The program should leverage a clear, consistent, data-driven
methodology across the enterprise to quantify AML risks in an easily reportable way.
How should an AML risk assessment program be structured?
People
• Include a variety of
subject matter
specialists (SMSs) across
the business and
Financial Crimes
Compliance to allow for
a broader view on risk
and issue management
across the firm.
• Leverage a dedicated
team, and, where
possible, utilize a center
of excellence (CoE) and
/ or the factory model
with offshore capability
to reduce costs.
Governance and
Framework
• A single enterprise-
wide operating
model, consistent
across lines of
business and
geographies, with
ownership within
the business.
• Formally defined
structures,
taxonomies, and
reporting forums for
senior management
review of risk
assessment
outputs.
North
America
Asia
PacificEurope
Latin
America
Governance and
Framework
People
Process
Technology and
Data
AML
Risk
Assessment
Retail
Banking
Commercial
Banking
Private
Banking
Corporate &
Investment
Banking

A mature AML risk assessment program helps provide banks with the opportunity to identify and plan for
emerging risks and changes in the bank’s risk profile. The program should leverage a clear, consistent, data-driven
methodology across the enterprise to quantify AML risks in an easily reportable way.
How should an AML risk assessment program be structured?
Process
• A clear globally
consistent and
standardized
methodology or
process across all
lines of business and
geographies.
• The process should
include standard
language or
taxonomies to
describe risk factors
across all lines of
business.
• Where possible,
incorporate both
automated scoring
and judgmental
decisioning.
Technology and Data
• Implement the AML risk
assessment within a
strategic technology to
support automation of
data feeds, thus
reducing ad hoc data
requests and data
collation periods.
• Define standard risk
factors and identify the
data elements required
to measure risk factors.
Conduct trend analysis
around control
environments to allow
control improvements
to be made.
North
America
Asia
PacificEurope
Latin
America
Governance and
Framework
People
Process
Technology and
Data
AML
Risk
Assessment
Retail
Banking
Commercial
Banking
Private
Banking
Corporate &
Investment
Banking

What is the path to a mature AML risk assessment program?
Rudimentary
Limited formal governance,
fragmented infrastructure and
inconsistent processes
Operational
Centralized governance with
partially consolidated infrastructure
and processes
High-Performing
Market leading AML risk assessment
practices, enterprise-wide
methodology, with formally defined
and adopted infrastructure and
processes
Governance
and
Framework
• Limited or no formally defined
governance structures or
decision-making bodies to
provide oversight and approvals.
• Geography or line of business
specific operating model, with
limited integration.
• No clear articulation or risk
appetite, risk factors, or control
categories.
• No clear ownership of AML risk
components.
• Defined governance structures in
place for approval of AML risk
assessment results.
• Enterprise-wide standards for risk
and control taxonomies.
• Identified key-risk factors, and
risk appetite.
• Fragmented operating model
covering major lines of business.
• Formally defined governance
structures and decision-making
bodies for approvals, planning,
and read-outs to senior
management.
• Enterprise-wide operating model,
consistent across lines of
business and geographies.
• Established risk and control
taxonomies, risk factors, and risk
appetite.
• Business ownership of most AML
risk components.
A mature risk assessment program evolves with the organization, increasing in impact, sophistication and
maturity. Financial institutions should take a pragmatic approach to implementing an enterprise-wide risk
assessment program and approach.

Rudimentary
Operational
and processes
High-Performing
processes
People
• Senior management aware of
AML risk assessment needs, but
no dedicated risk resources.
• AML risk assessment performed
by line resources on a part time
basis.
• Senior management aware of
AML risk assessment, structured
review conducted leveraging line
resources and compliance
personnel.
• Management has adequate
industry experience in executing
AML risk assessments.
• Senior management view AML
risk assessment as integral
component of AML compliance
program.
• AML risk assessment has
dedicated resources leveraging
the factory model for operational
activities, with oversight from
highly trained AML specialists.
Process
• Ad-hoc AML risk assessment
processes.
• Limited enterprise-wide
methodology or approach.
• Bespoke AML risk assessment
methodologies per line of
business or geography.
• Mainly manual processes, no
automation.
• Partially standardized processes
across lines of business and
geographies.
• AML risk assessment viewed as a
requirement but applied
superficially and focused on
fulfilling regulatory expectations.
• Ad-hoc risk assessments
conducted on higher risk areas.
• A defined globally consistent
process across lines of business
and geographies, supported by
workflow.
• Standardized AML risk
assessment methodology and
approach.
• Automated risk scoring coupled
with judgmental decisioning.

Rudimentary
Operational
and processes
High-Performing
processes
Technology
and Data
• Little or no technology used to
facilitate the AML risk
assessment.
• Limited data availability and no
agreed upon system of record.
• Static reporting without analysis
or action orientation.
• Technology may or may not be
used to drive AML risk
assessment routines.
• Limited data availability.
• Reporting is proactive and
analyzed to drive organizational
improvements.
• AML risk assessment process
implemented within a strategic
technology tool.
• Agreed data sources and systems
of record for data extraction.
• Central repository and standards
data dictionary leveraged.
• Automated and dynamic
reporting allowing for on-going
and periodic assessment.

To develop a robust AML risk assessment program, a structured approach is suggested to give the firm a proper
understanding of its risks and the effectiveness of the controls over those risks.
What is the approach for an effective AML risk assessment program?
Deliver
executive
summary
Mobilize and
prepare data
points
Document key
AML risks and
controls
Identify
improvement
opportunities
Obtain SMS
validation /
approval
Define and agree on
risk appetite
Identify systems of
record for extracting
data
Agree on specific risk
factors and data
elements needed
Identify and document
AML risks and controls
Conduct risk scoring to
identify critical focus
areas
“Sense check” data
outputs with business
and compliance SMSs
Map focus areas
against current state
catalogs and processes
Map focus areas
against current controls
framework
Document risk and
control matrix
Aggregate evidence for
baseline controls test
Validate risk and
control matrix with
SMSs
Conduct stakeholder
workshops to identify
additional pain points
Develop dashboards
presenting risk
assessment outcomes
Document executive
summary of AML risk
assessment findings
AML Risk Assessment Program
Stakeholder communications
Traceability to controls and monitoring and testing plans
Planning and program governance
Agree on standardized
templates and
taxonomies
Agree on weights for
risk factors
Develop action plans to
address gaps and high
risk areas
Incorporate audit
findings and prior risk
assessment findings

The AML risk assessment is central to maintaining a robust AML compliance program. However, many banks face
regulatory scrutiny as well as difficulties in executing such a review due to process, data, talent and time constraints.
What common challenges do firms face in executing AML risk assessments?
Limitations with current
processes
Timeline
pressures
Limited availability
of data
 Limited availability of
experienced AML talent
at scale in local markets.
 Over reliance and key-
man risk on longstanding
AML managers’
experience and
subjective analysis.
 AML risk assessment
perceived as a “tick-box”
activity.
 Regulators are
increasingly demanding
more frequent and
periodic AML risk
assessments.
 The time between
requesting AML data and
completing the risk
assessment is often
significantly long. This
often results in stale or
outdated results.
 Limited availability of data
required to complete the
AML risk assessment.
 Non-repeatable processes
to collect quantitative
data.
 Limited data granularity
impacting the
appropriateness and
suitability of the data in
the AML risk assessment.
Resource constraints
with competing
priorities
 AML risk assessment
process may not be
adequately defined and
documented to support
robust analysis.
 Risk categories and
factors not defined or
weighted appropriate to
the bank.
 Complexities and risk in
business processes not
adequately defined.
In light of these and other challenges, financial institutions are looking for better approaches to manage their
AML risk assessment programs and deliver repeatable, scalable, and cost efficient execution of AML risk
assessments on a cyclical basis.

There are a number of common challenges that impact the effectiveness of an AML risk assessment. Potential
solutions to these challenges have been developed via key lessons learned from AML risk assessment programs.
How can the common challenges be addressed?
11
Challenges Potential Solutions
Timeline pressures  Automate or partially automate risk scoring to facilitate an ongoing view of the
bank’s risk profile based on geographies, lines of business, products and services, and
customer segments.
 Implement data feeds from systems of record to automated tools that perform
ongoing risk scoring to reduce elapsed time between data requests and generation of
risk assessment results.
 Adopt a risk-based approach to scheduling AML risk assessments so that high risk
areas are more frequently monitored and reviewed.
Resource constraints
with competing
priorities
 Leverage a center of excellence model to reduce resource demands by centralizing
repeatable, resource-intensive activities, and implementing a change management
process to help schedule AML risk assessments throughout the year without undue
demands being placed on line managers.
 Require lines of business to assume accountability by formally accepting or
presenting detailed plans to mitigate high / critical risk events.
 Prioritize the AML risk assessment as an important tool in risk identification and
regulatory reporting. Risk culture should be supported by senior leadership, and
staffing and budgeting plans should reflect the needs of the AML risk assessment
program.
Copyright © 2016 Accenture All rights reserved.

There are a number of common challenges that impact the effectiveness of an AML risk assessment. Potential
solutions to these challenges have been developed via key lessons learned from AML risk assessment programs.
How can the common challenges be addressed?
12
Challenges Potential Solutions
Limitations with
current processes
 Implement the AML risk assessment methodology via a tool (vendor solution or
custom build) and create standardization across regions and lines of business.
Leverage case management to create additional efficiencies as well as supporting
audit and reporting capabilities.
 Utilize standardized taxonomies to identify risks and controls and a standard rating
scale to determine impact, likelihood, and effectiveness measures.
Limited availability
of data
 Incorporate all available information into the assessment. Firms should leverage
internal and external data and compare risk and controls to internal metrics (key
performance indicators / key risk indicators).
 Develop standard data dictionary that can be consistently used by all stakeholders
including the lines of business, Operations, Compliance and Technology.
 Recognize the subjective nature of the AML risk assessment, but drive consistency
through standardized terminology and the overall assessment process.

13
For More Perspectives on AML
Accenture Fraud & Financial Blog:
– Anti-Money Laundering (AML) Risk Assessment Process
• http://fsblog.accenture.com/finance-and-risk/building-a-strong-anti-money-
laundering-risk-assessment-process
Accenture Point of View:
– Reducing the Cost of Anti-Money Laundering
• https://www.accenture.com/AMLCompliance
– Building a Sustainable Back Secrecy Act and Anti-Money Laundering Program
• https://www.accenture.com/us-en/insight-anti-money-laundering-and-bank-
secrecy-act

Anti-Money Laundering
Risk Assessment Process
14
Disclaimer
This presentation is intended for general informational purposes only and does not take into account the
reader’s specific circumstances, and may not reflect the most current developments. Accenture
disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and
completeness of the information in this presentation and for any acts or omissions made based on such
information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible
for obtaining such advice from their own legal counsel or other licensed professionals.
About Accenture
Accenture is a leading global professional services company, providing a broad range of services and
solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience
and specialized skills across more than 40 industries and all business functions—underpinned by the
world’s largest delivery network—Accenture works at the intersection of business and technology to help
clients improve their performance and create sustainable value for their stakeholders. With more than
375,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the
way the world works and lives. Visit us at www.accenture.com
Accenture, its logo, and High Performance Delivered are trademarks of Accenture.

Anti-Money Laundering (AML) Risk Assessment Process

In this document