Business risk services

Our experience: the main shortcomings in preventing money laundering

Riin Veidenberg (on maternity leave) Riin Veidenberg (on maternity leave)

The Money Laundering and Terrorism Financing Prevention Act (MLTFPA), which entered into force in 2018, brought about several changes in the requirements compared to the past, which we believe many obligated persons still have problems meeting.

The experience of Grant Thornton Baltic's risk management advisors in conducting money laundering and terrorism financing prevention audits, especially in institutions supervised by the Financial Supervision Authority, shows that the problems are largely similar.

Who is affected by the law?

The prevention of money laundering and terrorist financing must be carried out by all companies and institutions with a legal obligation to do so - companies operating in the financial sector, gambling operators, real estate agents, traders, precious metal buyers and wholesalers, auditors, accounting service providers, consultancy providers, pawnbrokers, notaries, lawyers, etc.

In fact, all those who are not themselves obligated within the meaning of the law, but who have contacts with other obligated persons in the ordinary course of business, are exposed to the requirements arising from the law. For example, with banks who may ask about partners and the movement of money.

There is no risk-based approach

Money laundering and terrorist financing risk management should mean a risk-based approach to due diligence and take into account the risks arising from the company's business activities (eg services provided or customers). A risk-based approach means that the company focuses its activities on riskier customers, areas, etc., which helps to use the company's resources more efficiently.

In order to implement a risk-based approach, a company must assess the risks associated with its operations in at least four categories (risks related to customers, services and products, geographic areas, and communication and mediation channels). In practice, many companies do not comply with this requirement. Even if the official documentation related to the risk assessment (risk assessment, rules of procedure) is correct at first sight, in practice the minimum risk categories arising from the law are not taken into account when determining the risk profile for clients. It is also not clear in many companies how the client's risk profile and risk level (high, normal, low risk client) develops, when there are differences in the assessments across the four risk categories. Therefore, the foundations of a risk-based approach are not always in place.

Does your company assign a risk level to all customers, taking into account at least four statutory risk categories? Is the determination of the client's risk level in accordance with the applicable risk assessment and rules of procedure? Do you apply customer due diligence measures that are commensurate with his or her level of risk? These are the questions that should be answered first in order to assess whether the preconditions for a risk-based approach have been created.

Internal money laundering rules do not reflect actual practice

Companies and institutions that are required to comply with the Money Laundering Act must draw up rules of procedure governing the prevention of money laundering and terrorist financing. The rules of procedure must include information on how the management and mitigation of risks related to money laundering and terrorist financing related to the company's operations are carried out, ie compliance with the MLTFPA  in practice.

Rules of procedure are often purchased from law firms in a ready-made form, which is why they are very general, copied from the law and do not describe the actual practice of the company. The involvement of external specialists (lawyers, internal auditors, anti-money laundering experts) in drawing up the rules of procedure is very reasonable and welcome, but it is important to ensure that in addition to the legal requirements, the rules meet the company's specifics and are easy to understand.

Does your company's code of conduct clearly and intelligibly describe, for example, how the customer and the beneficial owner is identified? Does the person reading the rules of procedure know what to do if the risk assessment shows that the client is a high-risk client? If not, we recommend reviewing our rules of procedure to see if they are applicable in practice.

Risk assessment and risk appetite do not comply with the requirements of law

It is quite common that a company's risk assessment and risk appetite do not comply with the requirements of the law. Documentation related to money laundering is also weakly linked.

Our experience shows that most obligated persons have prepared a statutory risk assessment and risk appetite document. Although the documentation has been created, it almost always has shortcomings and the requirements described in § 13 of the MLTFPA have not been met.

Risk assessment is the basis for the development of a risk management model, including simplified and enhanced due diligence measures, which are usually described in more detail in the rules of procedure. The risk assessment, risk appetite and money laundering rules of procedure should form a unity, which indicates the risks related to the company's operations, what risks are prepared to be taken and how they are managed. However, this is not always the case in practice.

Does your company's risk assessment state which of the products or services your company offers are associated with a higher and lower risk of money laundering? In the case of risk appetite, is it fixed how much and to whom you are ready to offer your products and services, and which customers you do not serve?

Due diligence measures are not followed or the audit trail is missing

Obliged parties must use due diligence measures (eg identification of the customer or his representative, identification of the beneficial owner, politically exposed person background, etc.). Our experience has shown that even if customer due diligence measures are clearly described in the rules of procedure, in practice they are not or only partially complied with: for example, a person's national background is allegedly verified but the query from Google or any other independent source is not recorded to prove it. While due diligence is often at good level when establishing a business relationship, there are almost always shortcomings in monitoring the business relationship.

Does your company practice due diligence as set out in your rules of procedure? To assess this, we recommend reviewing the process of establishing and monitoring the business relationship as a whole and documenting the findings. If you feel that you are having trouble assessing compliance, we recommend that you involve experts of the field. They can assess the compliance of the established rules of procedure with the law as well as the compliance of your company's practice with the requirements arising from both the law and your own rules of procedure.

Processes are time and resource intensive, there is no automation

Companies and institutions whose activities require compliance with the requirements of the Money Laundering and Terrorist Financing Prevention Act must design their practices in accordance with the risks associated with their activities, but it is also important to ensure compliance with that Act. If any of the deficiencies described above are specific to your company, we recommend that you take a fresh look at your money laundering prevention documentation and procedures and, if necessary, involve Grant Thornton Baltic's risk management advisors.

Contact us to discuss your company and our business risk and internal audit services!