News

THE AML [financial crime] risk appetite statement

19/11/2019
  1. Having a robust financial crime risk appetite statement together with its associated financial crime risk assessment is fundamental to an organisation properly understanding, managing and mitigating its financial crime risks - and therefore limiting the opportunities for criminals to access and use the financial services industry for illegal activities.
  2. The JFSC/GFSC/MFSC/ FCA and other regulators have put increasing focus on financial institutions’ financial crime risk appetite statements and broader financial crime risk management frameworks.  Specifically:-
    • how risk appetite is understood and defined;
    • how the risk assessment is undertaken; and
    • how risk is managed through policies and procedures and other aspects of the financial crime risk management framework.
  3. As an organisation you need to define the extent to which you are prepared to tolerate
    • being used by criminals for criminal activities or
    • to be exposed to a regulatory breach (i.e. how many times you are prepared to tolerate being punched in the face) and
    • put in place the appropriate controls to mitigate the risks to what you are prepared to tolerate.  This is the ‘tolerable’ or ‘residual’ risk.
  4. Often people misunderstand the term ‘risk appetite’.
    • frequently you hear very senior members of financial services organisations stating that they have
      • ‘zero appetite’ and/or ‘zero tolerance’ for financial crime as it is ‘illegal’.
    • While organisation
      • have no appetite for financial crime risk by carrying on business activities
      • they are exposing themselves to risk and therefore must tolerate the fact that at times they will be exposed
  5. A Risk Statement therefore should articulate
    • the appetite for risk that an organisation has,
    • the extent of the risks that an organisation is prepared to tolerate (‘residual’ or ‘tolerable’ risks)
    • the risks it is not prepared to tolerate (‘intolerable’ risks)
    • the extent it is prepared to tolerate the failure of its controls
    • a recognition of its potential exposure to regulatory breaches