Financial Crime World

Operational Risks Contribute to Increasing Breakdowns in Key AML/CFT Controls

A recent report by the Central Bank of Kenya has highlighted concerns over operational risks that are contributing to an increasing likelihood of breakdowns in key Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) controls.

Identifying Operational Risks

The report analyzed data from various financial institutions and found that significant strategy and operational changes, as well as the structure of ownership and business, were among the qualitative risk factors that directly or indirectly affected inherent risk factors.

Mitigating Risks

To mitigate these risks, the report recommends a detailed analysis of data obtained during the identification stage of the risk assessment process. This involves evaluating data related to the bank’s activities, such as:

  • Number of domestic and international funds transfers
  • Types of customers
  • Geographic locations of business operations

The analysis also requires an impact assessment and the development of a likelihood versus impact matrix to determine the level of effort or monitoring required for identified inherent risks. Institutions can use risk matrices to identify low-risk, acceptable-risk, and high-risk categories, as well as to define additional levels of AML/CFT risk specific to their circumstances.

Evaluating Internal Controls

The report emphasizes the importance of evaluating internal controls to determine how effectively they offset identified risks. Controls are programs, policies, or activities put in place by institutions to protect against materialization of ML/TF risks or to ensure that potential risks are promptly identified. Each control is assessed for overall design and operating effectiveness, with a specific control rated according to a pre-defined rating scale or based on qualitative factors.

Determining Residual Risk

The report concludes by emphasizing the importance of determining residual risk, which is the risk that remains after controls are applied to inherent risk. Residual risk is used to indicate whether ML/TF risks within an institution are being adequately managed.

Key Recommendations

  • Conduct a detailed analysis of data obtained during the identification stage of the risk assessment process
  • Develop a likelihood versus impact matrix to determine the level of effort or monitoring required for identified inherent risks
  • Evaluate internal controls to determine how effectively they offset identified risks
  • Determine residual risk and provide an overall rating after evaluating all controls

Next Steps

Institutions are required to submit their latest results of ML/TF risk assessments to the Central Bank of Kenya by December 31st each year. Any queries or clarifications should be directed to the Director, Bank Supervision Department.

Contact Information

  • The Director, Bank Supervision Department
  • Central Bank of Kenya P.O. Box 60000 - 00200, Nairobi
  • Tel: 2860000
  • Email: fin@centralbank.go.ke