What is your ML/TF Risk Assessment and why is it so important?

This new obligation, including the need to tailor it to your practice, can sound daunting. As Anthony Jensen, Special Counsel at Holley Nethercote explains, “Even for experienced legal professionals, implementing any significant regulatory change is never straightforward. This is especially the case with the new AML/CTF regime, where we are navigating entirely new and often complex obligations, within a reasonably short consultation and transition period.”

But what does a tailored ML/TF Risk Assessment for your practice actually mean and why is it so important?

What is an ML/TF Risk Assessment?

Your ML/TF Risk Assessment is essentially an assessment of how vulnerable your business may be to being exploited for the purposes of money laundering (ML), terrorism financing (TF) and proliferation financing (PF, financing weapons of mass destruction) when providing your designated services. AUSTRAC commonly refer to these as your ML/TF risks.

The assessment requires you to consider specific factors including the designated services you provide under the AML/CTF regime, your customer types and countries they may engage with, how you deliver your designated services and any relevant guidance from AUSTRAC.

It is also an ongoing obligation, meaning as your practice changes or AUSTRAC issues new guidance, you will need to review and update your ML/TF Risk Assessment to ensure that it remains tailored to your practice and appropriate for its nature, size, and complexity.

Why is it so important?

A well-documented ML/TF Risk Assessment is essential because:

• AML/CTF Compliance: It is a core obligation of the AML/CTF regime and an essential element of a tailored and documented AML/CTF Program. AUSTRAC guidance emphasises the need that it must be customised to your practice, so generic templates or blanket ‘low/medium’ risk ratings will be unlikely to comply with the statutory obligation.

• Practice Risk Management: It informs how you will effectively protect your business from identified ML/TF risks, which not only helps you comply with your statutory obligations, but also makes it an important broader practice risk management strategy. AUSTRAC has emphasised that, because no one understands your business better than you, you are best placed to identify and assess your own risks.

• Developing your Customer Due Diligence (CDD) processes: Your ML/TF Risk Assessment is also the foundation of your CDD processes, that you must develop and follow when you provide your designated services to your customers, both initially and ongoing if you have a continuing business relationship.

Keddie Waller, Head of AML/CTF Strategy at Holley Nethercote has led significant regulatory change for professionals when she was Head of Public Practice at CPA Australia and is aware of the challenge and resource pressures facing the legal profession. “Professionals are busy people who don’t have the time to stop their day jobs to simply focus on how they implement new compliance obligations. Add to that the additional strain this places on their already finite resources in such a short period only adds further pressure on legal practices”.

“However, the reality is it must be done and if you break it down into smaller steps, it will not only be manageable but become a practical risk assessment exercise for your practice”.

Key steps to complete your ML/TF Risk Assessment

1. Identify:

First you need to identify your ML/TF risks.

• Identify the designated services you provide. Some will be obvious, but others may be more complicated depending on the current services you provide. You may find a tool like the HN Workbook handy in this step. If you are still unsure, you may need legal advice.

• Consider the potential ML/TF risks you could reasonably face when providing these services, for example is your client asking for complex structures because they are trying to hide the source of funds or the ultimate beneficial owner at the end of the ownership chain?

• Identify your customer types – are they individuals, businesses such as companies, or trusts? Different customers carry different ML/TF risks.

• Do any of your clients have overseas connections and if so, are they considered high-risk jurisdictions? You can use resources like the BASEL AML Index to check this.

• Document how you deliver your designated services, in-person, online, email, etc. and consider the ML/TF risks of each delivery channel.

• AUSTRAC guidance: don’t forget to refer to guidance such as AUSTRAC’s Risk insights and indicators of suspicious activity for legal professionals.

2. Assess:

Now that you know what your ML/TF risks are, you need a assess the level of risk you face without applying any controls that will mitigate or manage these risks (commonly known as your “inherent risk”).

• Use a common likelihood/consequence methodology to assess each of your risks and assign a risk rating, such as low, medium and high.

• Remember your risk assessment must be unique to your business, you can use templates to start the process, but you must tailor it to your practice to comply with your obligations.

3. Evaluate

The final step is to consider what controls you intend to put in place for each risk, and how this may reduce the level of risk (known as your “residual risk”). Then, over time you must test and evaluate how effective your controls are in mitigating and managing your ML/TF risks. Controls include training your staff, customer due diligence, or you may decide a risk is too significant and decide that the only control is to not onboard a particular customer profile, for example.

Remember when you are considering your ML/TF risks, you need to consider all risks you may reasonably face when providing your designated services, even if the risk may rarely occur in practice.

AML/CTF Program Kickstarter Workshops: Your Roadmap to Compliance

Despite breaking it down into steps, understanding and building your ML/TF Risk Assessment can sound daunting, even if using a template to get you started.

There is also the risk that it may be unclear how to customise the template, you waste time trying to understand what needs to be done or that you simply adopt what is provided and leave it untailored. This can result in certain risks not being considered adequately (and therefore, a deficient ML/TF Risk Assessment and broader AML/CTF Program).

To address these risks and support you transition into the AML/CTF regime, Holley Nethercote is running a series of AML/CTF Program Kickstarter Workshops.

These workshops are specifically developed for the person in your practice who will be tasked with building and implementing your custom AML/CTF Program.

With a focus on practical guidance, these three and half-hour sessions will provide you with the clarity, tools, and roadmap needed to build your tailored AML/CTF Program by covering how to:

• set governance roles and responsibilities

• identify and assess ML/TF risks for your designated services, customers, jurisdictions and delivery channels

• build and maintain a ML/TF Risk Register

• map personnel due diligence and training plans

• implement customer due diligence (CDD) systems, and

• understand reporting obligations.

“Attendees will leave with actionable steps for their practice,“ Keddie Waller says, “With the right support, you can turn regulatory complexity into a clear, practical roadmap for compliance.”

Plus, attendees will receive exclusive discounts to an AML/CTF Program Templates and supporting tools to turn obligations into practice.

Creating and maintaining a robust ML/TF Risk Assessment is a challenge, but it’s one you don’t have to face alone. Customisation is key, and expert guidance can make all the difference. Register now for our AML/CTF Program Kickstarter Workshops and take the first step towards confident compliance.

HN Hub - AML Program - Kickstarter Workshops