Contact details
Phone No: +91 98248 84900
Email Id: info@amlindia.in
How to conduct Business Risk Assessment in IFSCA Entities: A Step-by-Step Approach
How to conduct Business Risk Assessment in IFSCA Entities: A Step-by-Step Approach
Conducting a business risk assessment is mandatory for businesses regulated by the International Financial Services Centres Authority (Anti Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022. Business risk assessment is essential to ensure that businesses can effectively identify, analyse, mitigate, and monitor the money laundering (ML) and terrorist financing (TF) risks they encounter.
Below is a detailed step-by-step approach for conducting a thorough business risk assessment.
Step 1: Business Overview
Before assessing the MT/TF risks that it may face, a regulated entity should be ready with an overview of its nature, size, complexity of business operations, its customer base, the geographies it serves, its products and services, its structure, etc. A business overview will allow the business to conduct a thorough and informed risk assessment which is tailored to its needs.
Step 2: Risk Factors Identification
The next step is to identify the potential ML/TF risks that could impact the business. This process involves analysing the exposure of the business by considering the following ML/TF risk factors:
- The types of customers the businesses serve and their activities
- The countries or geographies it conducts business operations in
- The products and services it provides
- The delivery channels in use
As per the IFSCA requirements, ML/TF business risk assessment should also be conducted during the development of new products, adoption of new business practices and delivery channels, engagement with new partners, use of new technologies, etc.
Step 3: Assessment of Inherent Risk (Gross Risk)
(Inherent Risk = Impact * Likelihood)
After identifying the ML/TF risks related to the risk factors discussed in Step 2, businesses should analyse the likelihood of a risk occurring and the potential impact if it occurs. This is the inherent ML/TF risk the business faces. This evaluation allows businesses to understand how the ML/TF risks could affect the business in terms of legal penalties, economic loss, reputational damage and operational challenges.
The likelihood of occurrence is measured by evaluating the previous year’s data to gauge how frequently each risk materialised. For example, if the risk occurred 8-10 times in the previous year, such risk can be considered highly likely to occur.
Step 4: Controls Implementation
After the ML/TF risks are identified and their impact considered, the next step is to adopt the risk control measures based on the impact of the risk. For example, if the business recognises that a part of its customer base is of high-risk category, it can adopt enhanced due diligence mechanisms accordingly. These measures need to be properly documented. Documentation allows the staff to understand their role in mitigating ML/TF risks. It also allows the risk control measures to be audited and improved.
Step 5: Assessment of Residual Risk
After inherent risks are adequately addressed through risk control measures, residual risks need to be tackled. Residual risks are the ML/TF risks that remain even after risk control measures are adopted to mitigate the identified inherent risks. The residual risk can help businesses determine if the risk is acceptable based on their risk appetite. Risk appetite is the acceptable amount and type of risk that the business can handle.
Step 6: Personnel Training
Compliance staff should be trained and made aware of the ML/TF risks the business faces and the control measures in place to mitigate these risks. Employee training will allow the employees to effectively perform their role in the anti-money laundering/combating the financing of terrorism (AML/CFT) program of the business.
Step 7: Continuous Monitoring
Risk assessment is not a one-time process. The evolving ML/TF risks should be tackled through continuous monitoring and adoption of new and updated risk control measures.
Step 8: Record Keeping
Maintaining thorough documentation of the EWRA is necessary to allow for the creation of audit trails, establishing a clear system of controls, analysis of past records and improving control measures with time.
Conclusion
Conducting business risk assessment in businesses operating in the IFSCA is a systematic process that requires careful planning, execution, and continuous improvement. By following this step-by-step approach explained in this infographic, businesses can build a strong ML/TF risk management program that protects them from ML/TF risks.
We are committed to assisting proper enforcement of AML and CFT regulations to regulated entities in India by designing a personalised AML framework – policies, internal controls, and procedures – and ensuring effective implementation of the same.
Important Links
subscribe to newsletter
