Business Risk Assessment
What is a Business Risk Assessment (BRA)
A Business Risk Assessment is a strategy document that helps protect your business from being exposed to money laundering (ML) and terrorist financing (TF).
It comprises an assessment of how exposed the business may be to certain financial crime threats, and in turn, sets out how these threats and the associated risks of them occurring are mitigated and reduced. Effectively, it establishes the business’ formal approach to the day-to-day management of ML and TF risk.
In terms of structure, a BRA is often set out as a table in Microsoft Excel (or similar spreadsheet software). This is one of the clearest ways to document and rate multiple risks. It also allows you to show how risks are either not applicable to a business, or are mitigated by the controls put in place. For businesses that have a variety of different customer types and/or activity, spreadsheets can enable them to apply calculations, and when necessary, to develop other approaches using their spreadsheet as a first step.
Note that a BRA is different to a customer risk assessment (CRA). A CRA is required for each individual customer (business relationships and one-off transactions) and enables a business to evaluate the risk of ML and TF posed by each customer. A CRA is often documented using a spreadsheet also.
Why your business needs a BRA
Because you undertake Schedule 2 Business, you are considered to be a ‘supervised person’ for the purposes of the Proceeds of Crime (Jersey) Law 1999 (the Proceeds of Crime Law). You are therefore required to prepare a BRA demonstrating your systems and controls to counter ML and TF risks, and make it available to us on request.
The BRA sets out how you plan to comply with Jersey’s anti-money laundering and countering terrorist financing legislation (AML/CFT) and regulatory requirements. This should be able to demonstrate to relevant authorities that your business has relevant systems and controls in place, with a proper consideration of the risks posed to the business.
To continue protecting your business, the BRA should be updated and communicated with your staff on an ongoing basis. This should in turn ensure both compliance with regulatory requirements and assist with future planning for the business.
What should you consider when preparing your BRA
Professional assistance in creating your BRA
If you require assistance in the creation of your BRA, there are several businesses in Jersey who can provide advice. For example, you might want to speak to a Jersey lawyer (Law Society of Jersey website) or a Jersey Finance Member firm specialising in AML or Compliance Advice (Jersey Finance Member directory).
The JFSC is unable to provide advice to applicants on the content of their applications (including the BRA) as we have to review applications impartially.
Key areas your BRA should cover
Before you start your BRA, you should consider:
- size and complexity of your business, its day-to-day activities, who your customers are, what kind of payments you receive.
We would then expect your BRA to document, at a minimum:
- your business’ organisational structure
- its customers, and the countries and territories with which its customers are connected
- its products and services, and how it delivers those products and services
- the use of cash in your business transactions and whether there is a limit to cash usage
- criteria for obtaining information from a client whose cash payment exceeds a certain threshold (either in a single transaction or several transactions which appear to be linked)
It should also document:
- how you plan to stay aware of the various kinds of criminal activities related to ML and TF – criminals evolve their tactics and activities over time to try to get around a business’ defences
- a record of your staff training on understanding and identifying ML and TF risks, suspicious transactions and activity, and potential threats to your business
- how you will test the knowledge and understanding your staff have regarding the above points.
It is particularly important for the BRA to include reference to staff training on:
- how to make internal Suspicious Activity Reports (SARs) to the businesses’ Money Laundering Reporting Office (MLRO)
- how these SARs are escalated to the Joint Financial Crimes Unit (JFCU, an arm of the States of Jersey Police), and the process surrounding submission, including the area of “tipping off”
- whose role it is to decide whether SARs should be sent to the JFCU, and how customers should be approached if a SAR connected to them has been filed. This relates specifically to the area of “tipping off”, which is explored on the States of Jersey Police website
States of Jersey Police - Tipping off, production orders, liaison notices and saisie judiciaires.
A BRA should consider the business as a whole. The assessment must consider the cumulative effect of risks identified and must be kept up to date. It may be that a given risk is not deemed applicable (i.e. the risk from customers connected to high-risk countries is minimal due to customers only being local individuals). This should still be noted in the BRA to reflect that such a risk has been considered. The BRA should also record how it was decided that the risk was minimal.
Additional areas to consider
Based on the unique characteristics of your business, you may wish to consider including one or more of the following potential risk areas in your BRA:
- types of payments you accept (e.g. cash, virtual assets etc.)
- channels of trading you use (e.g. in person, online etc.)
- highest amount you are prepared to accept in cash
- trade finance counterparties (importer, exporter, manufacturer, signatories, shipping companies, freight forwarders, insurance companies, agents and brokers, bookkeepers, IT applications, online payments portals etc.)
- third parties acting for customers or prospective customers (e.g. introducers of business acting for customers or prospective customers
- a log of the names and origin/location of your customers/online customers/banks the transactions are made by
- a log of customers with one or multiple transactions with a value over £12,500
- a customer or representative making multiple smaller cash deposits into the business’ bank account
- an approach to unusual sales or purchase activities (e.g. delivery methods or payment arrangements that are not consistent with normal practice) or unusual enquiries (e.g. regarding the business’ refund policy where a customer is asking if a refund can be made by cheque, wire transfer or paid to a third party).
Guidance notes and useful resources
A range of guidance notes and online resources are available on the JFSC’s and JFCU’s website:
- Section 2.3.1 of the JFSC’s Handbook for Anti-money laundering and countering terrorist financing
- Section 14 of the JFSC’s Handbook
- Case Studies regarding ML and TF risks which High Value Dealer businesses might encounter
- SAR guidance: States of Jersey Police - Suspicious activity reports
- JFSC Money Laundering guidance
- JFSC Terrorist Financing guidance