This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Revolving door: Applying the risk-based approach to client take-on

Feature
Share:
Revolving door: Applying the risk-based approach to client take-on

By

Peter Derrick explores the challenges of applying the risk-based approach to client take-on in practice

Anti-money laundering (AML) legislation is constantly evolving as lawmakers grapple with drug trafficking, corruption, financial crime and terrorism. Regulators, in seeking to ensure such legislation is effective, have developed and refined their review processes. It is no longer enough to simply have policies and procedures that are fit for purpose. A firm must be able to evidence that it has a good and effective compliance culture. Recent highly critical reports from regulators have focused on failings in this area which stem from the boardroom.

For senior management, the ability to pass the buck for regulatory failings to those below has gone. Regulators expect boards or their equivalent to demonstrate they understand the regulatory risks facing their business, have policies and procedures fit for purpose and, most importantly, that these are being followed. There are strong indications that regulators will soon not only continue to levy ever-larger fines for regulatory breaches, but will also be looking to prosecute those they see as responsible.

Understanding the risk-based approach is a key part of any firm's compliance culture. Working with a global client base makes it inevitable that I see business covering a wide spectrum of risk profiles. I have tried to keep the guidance below as generic as possible based on my experiences as a money laundering reporting officer (MLRO) and compliance officer, rather than focused on a specific regulatory regime, and therefore make it relevant to all.

What is the risk?

There is a simple way to avoid any risk - shut up shop and take up knitting. This is not a serious suggestion, but any business needs to decide what its appetite for risk is. Assuming that taking up knitting is not an option, your practice needs to focus on three main areas of risk when looking at client take-on:

  1. reputational - would doing business with this client damage your reputation if it became public knowledge?;

  2. regulatory - specifically, for this article, AML and countering the financing of terrorism (CFT) regulations; and

  3. financial - does the nature of the service or advice that you are providing carry a significant financial risk?

At one extreme, do you only take on clients and offer legal services that carry little risk or, at the other, do you seek business from any source and offer any type of service, provided that it pays?

The current financial climate may push your practice towards the latter option, but do your staff have the skills and competency to manage those risks? There is little point in marketing your services to a new client base that carries a higher risk profile only to find that your MLRO strongly advises against taking the client on and is busy generating a suspicious activity report for the authorities.

Managing the risk

You should be able to identify the risk profile of your firm - the percentage of low, medium and high risk clients - and link that back to your business strategy and appetite for risk. There is no right or wrong answer but, inevitably, the greater the percentage of high risk business you have, the more resources you should be devoting to ensure you are correctly managing the risks those clients pose.

Risk versus reward should be a part of any risk analysis - not forgetting that, sometimes, the right answer is to not proceed with the business. Regulators will look at your overall client risk profile and risk rate you as a practice; expect to see them more often if you have a substantial percentage of high-risk clients.

The guidance available from regulators varies but, over the past few years, has moved away from a prescriptive rules-based approach to one based around principles and allowing an element of interpretation - a risk-based, outcomes-focused regulatory approach.

This regulatory approach relies on those responsible for running the practice to identify and understand the risks they face and put in place policies, procedures, controls, training and monitoring to manage them. Without these safeguards, you are potentially setting yourselves up to fail, with all of the consequences this carries, including fines and imprisonment.

The recently-published draft European Union 4th AML Directive indicates the importance governments and legislators apply to this area.

Assessing the risk

When putting a client risk assessment procedure together, all that is needed initially is to extract the guidance from the relevant regulatory pages and create a list of factors to be considered (not forgetting reputational and financial risk). Further consideration then needs to be given to the nature of your client base and the services that you offer.

These factors should include:

  • geographical location;

  • activity;

  • nationality of the client;

  • source of wealth;

  • identifying exposed persons (politicians or those linked to them and other influential people);

  • sanction checks; and

  • services being offered.

Most guidance on AML and CFT indicates which factors represent a higher level of risk, such as exposed persons and links to certain countries. But, note the term 'higher'. This does not mean that such clients should be considered as automatically 'high' risk, so a politically exposed person (PEP) could still be classified as low risk, albeit deemed higher risk than your normal low risk client.

Your risk assessment should include all of the factors that you feel are relevant and then provide you with your risk rating. Whether you choose the simple low, medium and high risk route or feel that you need a greater spread of risk levels, and how you reach that risk rating (a subjective approach or a scoring system), is your choice. You may feel that it is appropriate that certain factors will automatically rate the client as high risk, such as a PEP. Whatever you decide must be documented, justified and signed off at board level or equivalent - a regulator will ask!

The key to following the risk-based approach is documenting your actions and providing justification for them. I have seen occasions where companies, presumably seeking to avoid the need for such justification, simply treat every client as 'high risk' and think: problem solved.

However, by treating every client as high risk, you are encouraging a 'tick box' mentality, which potentially takes away any thought around the risks each client really presents and addressing them. You risk sending a clear message to your regulator that you don't know what you are doing in terms of applying a risk-based approach.

Knowing your client

To correctly assess the risks, you need to know who your client really is. Simply doing business with XYZ company without seeking details of its owners (such as shareholders or settlors of a trust) and controllers (such as directors and trustees) is a recipe for disaster.

The increasing emphasis coming from the Financial Action Task Force (FATF), International Monetary Fund (IMF), World Bank and the Council of Europe's Moneyval in this area highlights the need to identify ultimate beneficial owners and see through arrangements such as nominees, complex corporate structures and trusts.

This can be a time consuming and frustrating process, but it could potentially cost you a lot more, including your reputation and liberty, if it was subsequently discovered that the whole purpose behind the entities involved was to conceal the proceeds of crime.

Regulatory guidance around the due diligence you need to obtain on new clients - whether individuals or entities - generally works on the basis that, the higher the level of risk you assign to your client, the more documentary evidence is required.

A suitable form of identification such as a passport is normally a minimum, but details of an individual's place of residence, proof of residence, or a company's certificate of incorporation and shareholder/directors register are often required.

As the risk level increases, the quantity and type of information needed widens to include sources of wealth (suitably evidenced), certified documents if the originals haven't been seen and secondary evidence of place of residence.

Many regulators allow an element of reliance to be placed on external data sources to verify identification and address, but retain a need to see documents. It could be argued that permitting greater reliance on approved independent sources is a safer, quicker and more cost-effective route, where such information is available.

Higher risk clients

For those clients identified as posing a higher level of risk, there is usually a requirement to carry out 'enhanced due diligence' and for senior management to sanction taking the client on. The regulatory guidance that is generally provided suggests additional checks ranging from further proof of address to commissioning an investigative report from one of the agencies offering this service.

Such reports can provide excellent assurance that your client is acceptable or provide some very good reasons for why he should be politely shown the door. At its most basic, a report will largely regurgitate information that is freely available via online research. Training your staff on how to use search engines like Google to obtain relevant information (without having to sift through thousands of potential matches) could be money well spent.

Analysing information

It goes without saying that some websites are more reliable than others. Wikipedia's information on your potential client may portray him as a saintly figure devoting his life to charity, but who wrote these articles? This is one of the biggest challenges a practice faces when dealing with a high-risk client where there is a mass of information available.

In simple terms, positive news (from a reliable source) and no news is good; negative information requires careful analysis, as follows.

  • What is the negative information saying? How bad is it and is it criminal or civil? Many banks have recently been heavily fined and censured, but would you decline them as clients?

  • How old is the information? The older the information is, the less weight it potentially carries.

  • Is it fact or fiction? Rumours and allegations are often reported which, by their nature, should be treated with far more scepticism than actual charges made or court proceedings taking place.

  • What is the source and how reliable is it? Even the most reliable media sources can get their facts wrong on occasion.

  • Which countries are involved? Many of us are lucky to live in jurisdictions with a free press and independent judiciary. Further afield, interference with or control of the press and, in some cases, the judiciary, is more prevalent. This must be taken into account in assessing whether negative information is reliable.

Placing reliance on information that may have no substance may see you turning away good, profitable business. Any decision is inevitably subjective, but your thought processes should be documented carefully if negative information exists and you are going to take the client on.

The risk-based approach

The risk-based approach to client take-on is based on the premise that a practice will devote more resources to ensuring those clients that are assessed as posing a higher level of risk are acceptable. For a low-risk client, obtaining the correct client due diligence (CDD) checks is normally relatively simple. The problems generally come with high-risk clients and enhanced due diligence.

If you can obtain the full set of documents and evidence that meet regulatory requirements, excellent. But, there is a danger that the drive to meet the regulatory requirements becomes an end in itself, rather than focusing on what really matters - preventing money laundering and financing terrorism.

If you are unable to obtain all of the documents that you should have, but are fully satisfied that the client is not involved in money laundering then, rather than turning the client away, application of the risk-based approach provides the solution.

Dealing with an international client base, I regularly come into contact with prominent individuals and families, ultra high net worth individuals and sovereign wealth vehicles (many of which are based in jurisdictions considered high risk), which, by our regulatory definition, represent overall higher-risk business and require enhanced due diligence.

Obtaining passports, evidence of wealth, utility bills and bank statements is not practical in many cases for a variety of reasons and, as such, meeting regulatory requirements is impossible.

But, do I know my client? Yes. Is there any evidence the client is linked to money laundering or terrorism? No. On this basis, should I be able to do business with this client? Yes. However, it is essential that I document why the practice is comfortable derogating away from normal CDD requirements. You should have a documented derogation policy setting out what needs to be done when obtaining the full CDD is impractical. This should include documenting what is missing, why it is impractical to collect it and the justification for proceeding.

Such derogations can be risk rated in their own right but, where significant parts of the normal CDD are missing, this should automatically be classed as high risk and require sign off by senior management (and your compliance officer/MLRO), in line with your high-risk client procedures. A record of significant derogations should be maintained and reported to the firm's board and managing partner to ensure the process is not being abused.

By the book

Principles-based regulation and the risk-based, outcomes-focused approach is there to be used. It could be abused and I will only know if my approach, as outlined above, is correct when my regulator pays me a visit, which may be sooner rather than later if they read this article!

As a final thought, I would strongly suggest that, when it comes to risk, sometimes the answer to taking on a new client, however valuable, whether you have CDD or not, has to be no.

Peter Derrick MICA is senior compliance manager at offshore law firm Ogier (www.ogier.com)