Identifying Money Laundering Risk in the United Kingdom: Observations from National Risk Assessments and a Proposed Alternative Methodology

Two National Risk Assessments (NRA) of money laundering (ML) have now been published in the United Kingdom (see HM Treasury 2015 and 2017). While both represent an attempt to identify the risks of ML, there are limitations in relation to the conceptual framework and the methodology used. This paper reviews the UK NRAs and considers whether revision of the methodology employed could help to both remedy these limitations and generate more robust findings. Drawing upon the findings of the UK strand of project Identifying and Assessing the Risk of Money Laundering in Europe (IARM), it outlines how a composite ML risk indicator was developed through analysis of threats and vulnerabilities across 43 police areas. The findings demonstrate that risks are highest in the City of London and the Metropolitan Police area, which is largely explained by the presence of organised crime groups, connections to risky jurisdictions and the cash intensity of businesses. Although the findings should be treated with caution, it is posited that this methodology could be used to help future NRAs develop a more robust framework to understand ML risk and ultimately develop more effective preventative strategies.

prevention of ML has become a key policy issue, with concerns expressed over the potential consequences to the economy (HM Treasury 2015;NCA 2017); the extent to which ML helps to fund further serious and organised crime; and the linkages the UK financial system has to grand corruption in other countries (Home Office/HM Treasury 2016; Lord and Levi 2017;NCA 2017). Although estimates of the costs of ML to the UK economy have ranged from £36 billion to £90 billion (and have been subject to criticism-see for example, NCA 2017: 22), the costs are recognised as significant, and the prevention of ML is considered critical in the effort to disrupt organised crime. It should also be borne in mind that because the City of London is a major world financial centre, the UK also has to be seen to be proactive in the realm of antimoney laundering (AML) for purposes of reputation, reassurance and global business confidence.
Two main approaches to tackling ML have been developed: enforcement (criminalisation of ML and investigation of live cases) and prevention (keeping illicit money out of the system) (see Levi and Reuter 2006). In the UK, the cornerstone of the enforcement approach is provided by the 2002 Proceeds of Crime Act, in which virtually Bany interaction with the proceeds of crime ( Hicks 2010: 713) is criminalised. The Act created offences of concealing (section 327), arranging (section 328) and acquisition (section 329) of proceeds of crime and sets out provisions for the confiscation of assets acquired through criminal activity. 1 However, there are challenges and limitations with the enforcement approach. Not only are the investigations of individuals involved in ML expensive and time consuming, but even when convictions are secured, further problems can then be encountered in recovering assets from criminals through confiscation ordersparticularly in relation to the most organised and larger-scale criminal operations (see Bullock et al. 2009; National Audit Office 2013; King and Walker 2014;Fisher 2015;King 2018). 2 The prevention of ML focuses on what have been described as rule-based and risk-based approaches. Both are largely focused on trying to prevent illicit cash flowing back in to the legitimate economy. Across most countries in the world, financial entities and designated nonfinancial businesses and professions (DNFBPs) are required to follow certain rules in relation to the prevention of ML. This requires regulated sectors to report (in the case of the UK, through the suspicious activity reporting regime) every financial transaction that is deemed suspicious (Esoimeme 2015). However, this approach has been met with several criticisms. As Levi (2014) notes, this rule-based system conscripts regulated business sectors to comply (with the threat of penalties) as part of their corporate social responsibility and report suspicious activity, but in practice, it ensures standardisation of rules and regulations as a goal rather than the disruption of organised crime (which is hard to measure). Thus, the UK regulatory authorities have developed what could be described as a second-best legitimising approach based upon a compliance tick-box culture (Harvey 2008: 190). Some have argued the justification for the expansion of AML has been informed by using second-best measures, such as numbers of suspicious activity reports (SARs) (Harvey 2008: 203;Zoeppi 2015), which suggests there has been an expansion of the regime without any legitimisation. Indeed, Unger and Ferwerda (2014) question the costs of this expansion given that the benefits are unclear.
While the rationale for the expansion of the AML regime has been criticised (and in particular rule-based approaches), risk-based approaches have become the cornerstone of AML regimes across the globe. As set out by the Financial Action Task Force (FATF) (2012), there is a requirement for members to be aware of the risks at a national level and also for obliged entities to be aware of the risks within their businesses. This is reiterated in the European Union 4th Money Laundering Directive, which states that BUnderpinning the riskbased approach is the need for Member States and the Union to identify, understand and mitigate the risks of money laundering^ (EU 2015: 4). In relation to obliged entities, there is a requirement that appropriate steps are taken to identify and assess risk (whether these be customers, products or services). Thus, this represents a transition from a rule-based approach, which requires equal treatment of all, to an approach that requires differentiation between high and low risk (Esoimeme 2015;Bello and Harvey 2017). At a national level there is a requirement to Bidentify, assess and understand the ML risks^ (FATF 2012: 6). This requires all FATF members to identify the threats (people or activities who may launder money), vulnerabilities (the factors that attract, facilitate or allow laundering) and consequences (the potential harms or impact) (see FATF 2013). This approach clearly has the potential to identify what opportunities exist for ML at a national level and to aid the development of preventative strategies. However, it has been observed that the national risk assessments conducted to date have been limited by methodological and conceptual problems. Indeed, critiques of NRAs conducted in countries such as the USA, Canada, Italy and Sweden have noted the lack of harmonised methodologies and transparency of method (both of which make replication difficult) and an over-reliance on qualitative or descriptive data (see Savona and Riccardi 2017;van der Vee and Ferwerda 2016). Therefore, the primary aims of this paper are threefold. First, it outlines (by focusing on the UK experience) the common challenges in developing national ML risk assessments. Second, by focusing on the findings of a European Union (EU)funded pilot study (IARM), 3 it outlines an approach to risk assessment developed in the UK that could be used to complement the existing NRAs. Third, it considers how future NRAs might be developed and their utility for developing preventative strategies. The findings presented not only outline a more transparent methodological approach to a UK national risk assessment than currently exists, but also offer an approach that could be further developed to complement the more qualitative approach favoured in the current UK NRAs.

Identifying Money Laundering Risk: the UK National Risk Assessments
The first UK NRA (see HM Treasury 2015) sets out an approach based around understanding the threats, vulnerabilities and consequences of ML. The 2015 NRA identifies threats in the form of key predicate offences, such as fraud and tax offences, drugs offences, modern slavery and acquisitive crime; and vulnerabilities across regulated sectors (including services provided, lack of AML compliance, professional enablers, international exposure and secrecy of business structures). In addition, chapters are also devoted to vulnerabilities in company ownership structures (legal entities and arrangements), cash risks, new payment methods and international exposure. The 2017 NRA builds on the 2015 assessment by identifying where risks have changed or developed and through exploring those areas previously identified as high risk (HM Treasury 2017). From a risk-based perspective, the most useful aspect of either NRA is the 2015 assessment's attempt to develop composite ML risk scores for businesses in the regulated sector, in which the Brisk of businesses in a sector being used by criminals to facilitate money laundering due to the services it offers^is rated (HM Treasury 2015: 10). Through using a methodology referred to as Management of Risk in Law Enforcement (MoRiLE), the structural risk within each sector is assessed Bbased upon a series of factors to indicate vulnerability of a particular sector to money laundering and the likelihood they will materialise in that particular sector^(HM Treasury 2015: 10). Vulnerabilities include factors such as the complexity and reach of the services offered in the business sector, the volume and speed of money movement through the sector and compliance with AML. Likelihood factors include the size of the sector, likelihood of reporting suspicious activities and law enforcement agencies' existing knowledge of ML in the sector. Using this method, business sectors were given a vulnerability score and a likelihood score which were then multiplied to give an overall structural risk score. Businesses were then graded as high, medium or low risk. In 2015, banks, legal service providers and money services were rated as high risk, and high value dealers, retail betting (unregulated gambling) and casinos (regulated gambling) rated as low.
Rather curiously, although the MoRiLE framework is referred to in the 2017 report methodology (which appears as a 2-page annex), no mention of MoRiLE is made in the main body of the report, nor are any risk scores calculated in relation to specific sector risks. Here, business sectors and their particular activities are still classified into risk groups, and some explanation is given as to why sectors are considered high, medium or low risk. As a riskbased approach to understanding ML, there are a number of criticisms that might be made of both UK NRAs: 1. Definition of money laundering: nowhere in either report is there a clear definition of what ML actually is. 2. Data collection: It is unclear what data have been used to make assessments about risk.
Also, the level and spread of government engagement with the stakeholder groups during the consultation phase is uncertain. In terms of the nature of consultations, the 2015 NRA methodology states that Bworkshops were held with some sectors and questionnaires with others^(HM Treasury 2015: 10). The 2017 NRA mentions Bcontributions supported by 200 organisations^(HM Treasury 2017: 83). However, neither assessment makes clear how many individuals were spoken to, in which specific organisations and what they were asked. Thus, the reliability of data can be questioned, as it might be subjectively, rather than objectively, based. 3. Validity of the findings: Data used to assess vulnerabilities were primarily qualitative assessments collected from stakeholders, rather than quantifiable indicators. It is clearly stated in the 2015 NRA that the conclusions Bdraw heavily on expert judgement from law enforcement agencies, supervisory authorities and those responsible for AML/counter financing of terrorism (CFT) within firms^(HM Treasury 2015: 10) and the 2017 report used a similar approach. This calls into question the validity of the findings and, in particular, the risk scores generated in the 2015 assessment. 4. Framework for and method of data analysis: The MoRiLE offers a potentially useful analytical framework to develop a composite risk score. However, there is a lack of clarity about how the risk ratings presented in the 2015 NRA are calculated and applied. For example, banks generate a vulnerabilities score of 34 and a total likelihood score of 6.2; but, it is it is unclear how criteria used for assessing vulnerabilities or likelihood are graded and then actually generate the scores that are presented in the findings. As data collected are largely qualitative, it might be assumed that there has been considerable guesswork here. 5. Scope and reach of the assessment: The analysis of businesses covers regulated sectors.
However, given that businesses in both regulated and non-regulated sectors are potentially at risk of ML, the assessments could also include sectors that are currently unregulated (see Kleemans and Ferwerda in this edition). There is also no geographical analysis of the risks of ML. 6. Strategies for prevention: It is not clear from the 2015 NRA itself how the findings could be used to develop preventative strategies. However, this is considered in the Action Plan for AML and counter-terrorist finance (Home office/HM Treasury 2016) and in more detail in the 2017 assessment. We discuss this further below.
The NRA generates some potentially useful information. However, the issues outlined above mean that the assessment is open to many of the criticisms that have been levelled at other NRAs in relation to lack of transparency of the method, how easily it could be replicated and how verifiable the methodological approach is (see Savona and Riccardi 2017). The central focus in this paper is in relation to developing point 4: the framework for and method of analysis. It is to this that we now turn.

Developing a Model to Understand Money Laundering Risk at the National Level
Project IARM (see Savona and Riccardi 2017) aimed to develop a methodological approach to assessing national ML risk. It was piloted in three countries-Italy, The Netherlands and the UK-where threats and vulnerabilities are more carefully defined and measured than in previous assessments and the analytical process is more transparent, so the method could easily be replicated in future. For the UK, the initial aim was to build a model that could measure risk at an area-based level (geographical) and across all business sectors. However, due to a paucity of data that allowed for threats against businesses to be measured, the pilot focused upon developing an area-based model across UK police areas. Similar to the first UK NRA (see HM Treasury 2015), the approach aimed to develop a risk-based indicator that enabled the complexity of ML risk to be condensed into one value. The following sections describe the steps in this process.

Identification, Operationalisation and Normalisation of Risk Factors
The first stage of the process was to conduct an extensive literature review to identify risk factors and associated threats and vulnerabilities that might generate opportunities for ML. The study defined threats and vulnerabilities in line with FATF definitions. Threats were defined as people or activities that may need to launder money (FATF 2013: 7;Dawe 2013: 112), and these relate to the scale of ML predicate offences that generate illicit proceeds. Vulnerabilities are the factors that attract, facilitate or allow ML to happen. In other words, they are those factors that may be exploited by threats (FATF 2013).
The literature review pointed to a substantial number of potential threats and vulnerabilities.
The key challenge was then to operationalise these threats and vulnerabilities into meaningful proxy measures (stage 2). In the UK, much of the literature relating to ML risk describes threats in qualitative terms. Therefore, there are challenges in moving on from what is described in the literature to developing proxy measures of risk. Tables 1 and 2 present an overview of data collected for the study. These outline what are referred to as the risk factors (threats and vulnerabilities), risk subdimensions (dimensions that might be considered part of each risk factor), proxy measures (variables created as a measure for each dimension); source of data used for each proxy and the year data used in the model relates to. It should be borne in mind that the development of threat and vulnerability measures were limited by the availability of data that could be developed into proxy measures. Indeed, it is acknowledged that several other measures could be used (such as tax evasion and SARs). This is revisited later in the paper.   Threat variables were generated that aimed to measure the potential extent of ML across each area. These fell into two groups: organised crime groups (OCGs) and illicit markets/ activities. The presence of organised crime has often been cited as a key ML threat to the UK (see HM Treasury 2016). The hypothesis proposed here is that the more OCGs in an area, the more money that is likely to be generated through OC activity across a range of illicit markets/ predicate offences and thus a greater the amount of proceeds one would expect to be laundered into the licit system. Therefore, data were collected on numbers of crime groups thought to be located within each police area and those currently thought to be impacting in those areas (those that may be located outside an area but activities of which are impacting on the local area and generating cash likely to be laundered). 4 The second area of threats are related to predicate offences thought most likely to generate proceeds to be laundered. The list of predicate offences developed for this analysis was informed by the FATF (2013), as reported in the 4th Anti-Money Laundering Directive (AMLD) (Directive 2015/849, Art. 3), those presented in the UK NRA (HM Treasury 2015) and also from the predicate offences used by Mills et al. (2013) in their estimate of the costs of organised crime to the UK economy. The proxy measures of predicate crimes were developed by identifying (1) what types of crime activities OCGs engage in, and (2) what proportion of these crimes might be attributed to OCGs. Estimates of the proportion were based upon Mills et al. (2013) research into the linkages between a range of crime types and OCGs. For example, they estimate that 100% of all distraction burglary is linked to organised crime, as is 58% of theft of motor vehicles and 80% of fraud/forgery. These estimates were based upon the likely number of people required to commit the crime, likely profits, planning, knowledge and skills required for crime completion. For many crime types (such as vehicle offences), intelligence from specialist crime units was used to make the predictions. In addition to the numbers of organised crimes that occur in an area, a monetary value was also applied where possible to give a proxy measure of the potential amount of money that might be laundered in relation to each crime type. These costs were principally obtained from official sources on costs of crimes (see Mills et al. 2013), where estimates in relation to average values of stolen property for the offences of distraction burglary, vehicle crime, metal theft, cash in vehicle transit robbery and plant theft were available. 5 There were, of course, a number of challenges faced when developing proxy measures of threats. For example, not all crime types one would expect to generate significant profits could be included, such as fraud/forgery, where data for all 43 areas could not be collected. Furthermore, monetary estimates were only available for some acquisitive crime types. Obviously, some care also has to be taken in terms of interpreting these crime figures, as they are based upon official statistics relating to crimes that come to the attention of the police or other official bodies. Thus, they may not be representative of the actual total extent of predicate offences across each area (see Maguire and McVie 2017). In addition, it needs to be borne in mind that the highest numbers of OCGs, predicate offences and, ultimately, volumes of money to be laundered are concentrated in the larger metropolitan areas. Therefore, control variables, such as resident area population, number of businesses and local gross domestic product (GDP) rates, were used to control for differences in area size. For example, variables such as numbers of crimes were controlled by the size of local area population, and revenues from crime were controlled by GDP per local area. Finally, it should be recognised that as threats in the model are area based, they fail to account for any cross-border movement of profits from crime (i.e. where money generated through crime in area A is moved to area B).
Vulnerability measures aimed to assess the extent that opportunities exist for ML across each area. These measures (Table 2) fell into three broad groups: cash intensiveness, opacity of business ownership and further variables grouped as other vulnerabilities. Cash intensiveness has been identified as a facilitator in ML, as cash movement can easily be hidden, which is ideal for laundering (Riccardi and Levi 2018). While data exist in countries such as Italy on cash diffusion among individuals by area level, in the UK, such data are not available. Therefore, cash intensiveness was measured by considering the liquidity of local businesses through current cash assets and current assets and the presence of cash machines per 1 million population. Measures of cash and current assets were principally developed from Bureau van Dijk (BvD) data, which hold data that can be developed into proxy measures for companies, such as financial data, legal entities and corporate ownership structures. Globally, data are held on >250 million private enterprises, and this allowed for analysis to be completed in relation to details held on 3,741,300 6 businesses in the UK. Whilst it is recognised that this number is lower than the total UK business population, which is >5 million (see BIS 2015), BvD were able to provide data on a range of measures that would not have been available otherwise. The cash intensity of a local area was also measured through the number of cash machines in a location, which has been cited as an indicator of the cash intensiveness of local economies.
Here, data were collected on the use of cash machines across England and Wales from UK Payment Statistics (Payments 2015).
Of course, the opacity of business ownership structures in which beneficial ownership is difficult to identify or there are complex shareholding structures, have been identified as being a key vulnerability for ML (ECOLEF 2013;Savona et al. 2016;FATF 2016). In relation to the complexity of business ownership, proxy measures included levels of foreign ownership and beneficial ownership distance. For links to risky jurisdictions, this included generating variables with risk scores for beneficial ownership and shareholding across each police area (by using the secrecy index). These were developed by using Tax Justice Network Financial Secrecy Scores (see Tax Justice Network 2015), which is an index of financial secrecy that ranks jurisdictions according to their secrecy and the scale of their offshore financial activities. 7 This is described by the Tax Justice Network as Ba tool for understanding global financial secrecy, tax havens or secrecy jurisdictions, and illicit financial flows or capital flight^(Tax Justice Network 2015: np) and currently ranks Switzerland, Hong Kong and the USA as the highest risk jurisdictions.
Other measures of vulnerabilities included attractiveness of the local area for inward investment, presence of international transit hubs and business profitability. Attractiveness for inward investment was measured through real estate values. The price of real estate has often been considered a ML risk factor (see Ferwerda and Unger 2013;Transparency International UK 2016), especially in the UK where concern has been expressed over illicit real estate investments (Goodrich and Cowdock 2016). Locations that have an abundance of international connections-via, for example, transit hubs-are also often characterised by higher volumes of illicit cas flows (Soudijn and Reuter 2016). A measure of international connections was created by giving each police area a risk rating based upon the presence of international transit hubs, such as international airports, international railway stations, passenger ferry terminals and cargo ports. There is also a (debated) hypothesis that business profitability can be an attractor of inward investments for crime groups, though the empirical evidence for this is weak (see Riccardi 2014). Nevertheless, business profitability was also used as a proxy measure.

Analysis of Threats and Vulnerabilities
Initial descriptive analysis was conducted across all variables to begin to identify where threats and vulnerabilities are most likely to concentrate. This helped identify where (for example) the highest rate of organised crime revenues per percentage of local GDP were or where the businesses that had beneficial ownership structures connected to risky jurisdictions were located. However, a descriptive analysis of where individual threats and vulnerabilities are located reveals little about where the overall ML risk is highest. Therefore, an analysis was conducted that considered the combined impact of variables to develop a composite measure of risk. Initially, bivariate analysis teased out where threats and vulnerabilities converge by running Pearson's correlation analysis across all variables. This identified several medium-tostrong correlations between variables. For example, the presence of acquisitive organised crime (for GDP) was correlated (at >0.3) with cash assets, the presence of transit hubs and real estate costs. The presence of OCGs (per 100,000 population) was correlated with foreign shareholding structures, real estate costs and cash assets; and the presence of regulated businesses (obliged entities) in a local area was correlated with the presence of OCGs, organised drug crime and acquisitive organised crime. A principal component analysis (PCA) was then conducted to develop a composite indicator of ML risk. 8 The main reason for selecting PCA was because (1) there were several indicators of threats/vulnerabilities in the data set; and (2) PCA allows these indicators to be grouped to understand what the main components of risk are. In order to prepare data for PCA, two steps were followed. First, for some variables, although they were identified as proxy measures of vulnerabilities in some literature, it was not entirely clear what the relationship was between the vulnerability and the threat-for example, ATM population and business profitability-so these were dropped. Second, variables showing a nonsignificant linear correlation with all other variables were dropped (such as organised immigration crime). This left a total of nine variables in the model. These included three threat variables and six vulnerability variables: 1. Threats 1: OCGs impacting per 100,000 population 2. Threats 2: Grouped drugs crimes per 100,000 population 3. Threats 3: Acquisitive crime revenues as a percentage of local GDP 4. Vulnerabilities 1: Business cash intensity measure 1; ratio cash/total business assets 5. Vulnerabilities 2: Business cash intensity measure 2; ratio current assets/total assets; 6. Vulnerabilities 3: Average distance to beneficial owner 7. Vulnerabilities 4: Shareholders risk score 8. Vulnerabilities 5: Beneficial owners risk score 9. Vulnerabilities 6 -Number of transit hubs It was also borne in mind before the model was developed that for one police force area (City of London), it was problematic to compare predicate offences to other police areas. The principal reason for this is because this area has a small population (<10,000 residents) compared with an average of 1.2 million across all other areas. Therefore, care had to be taken when interpreting data for the City of London, and for this reason, two area risk models were developed: one that includes the City of London (Model 1) and one that merges this area with the Metropolitan Police area (Model 2). Furthermore, as there are a low number of variables in the model, three principal components (PC) were extracted. Table 3 presents the initial rotated component output from the model that included the City of London.
As indicated across the bottom row of the Table 3 (cumulative variance), the three PCs together explain~77% of the variance observed in the data set. PC 1 explains 44%, with PC 2 and 3 explaining 18% and 15%, respectively. The key components, as labelled by the authors, are: shareholders and beneficial owners, which accounts for 18% of the variance in the model. Bivariate analysis also shows that variables of risky shareholders and beneficial owners are correlated (Pearson's r = 0.363). 3. PC 3: business opacity and cash intensity. This component relates to cash intensity of businesses and average distance to beneficial owners. Thus, a connection is suggested between cash intensity of a business and business ownership structures. As is observed in the bivariate analysis, the variables of cash intensity Model 2 and average distance to beneficial owners are correlated (Pearson's r = 0.320).
It should also be noted that in the above model, international connection/transit hubs are equally correlated across all three components, although the relationship is not as strong as with the other variables. This suggests a connection between the key components identified above and international connections. The same variables were then included in a model in which the City of London is merged with the Metropolitan Police service area (Model 2). This model was also set to explain three PCs. The initial rotated component outputs from the model are presented in Table 4. As can be seen, when the City of London is grouped with Metropolitan Police, the three PCs combined explain~61% of the variance observed in the data set (from 77% in the previous model). PC 1 explains 27%, with PCs 2 and 3 explaining 19% and 15% respectively. The key variables can be grouped together to identify the key factors that explain the variation observed for each PC. Therefore, the key components are: 1. PC 1: organised crime and international connections. As with the previous model, acquisitive crime revenues are an important component in the model. Drug trafficking and seizures also remain important. However, the presence of international transit hubs also emerges as being correlated with this PC. Indeed, the two variables of organised acquisitive crime revenues and drug transit hubs are highly correlated in the bivariate analysis (Pearson's r = .459), as are transit hubs and drug seizures (Pearson'sr = .499). 2. PC 2: connections to risky jurisdictions. As with the previous model, connections to risky shareholders and beneficial owners remain grouped in a PC. These two variables are correlated in the bivariate analysis (Pearson's r = .353). 3. PC 3: business cash intensity. As with the previous model, the two proxies for business cash intensity remain grouped in a PC. Here, the two measures of cash intensity explain 15% of the variance in the model and are correlated (Pearson's r = .429).

Developing a Composite Indicator of Risk and Validation of Model
PCA allows us to develop an overall composite indicator of risk for each police area in the model (stage 6). This is an aggregated weight of each component in the model which is then normalised to a scale of 0 to 100. This is calculated by multiplying each PC score by the proportion of variation explained by the component. This gives each of the 43 police areas a scaled risk score based upon data used for the PCA. Tables 5 and 6 present the relative risk (RR) scores for the top five scoring areas in each model. This shows that, for Model 1, the City of London is the area with the highest risk score, followed by the Metropolitan Police area, Greater Manchester and the West Midlands. For the City of London, the composite risk score is largely generated by the presence of organised crime. For the Metropolitan Police area, connections to risky jurisdictions is the largest component, whereas for Greater Manchester and the West Midlands, it is business opacity and cash intensity that generate the risk score.
If we turn to the composite risk with the City of London merged with the Metropolitan Police area, then the Metropolitan Police area, Greater Manchester and Dyfed-Powys emerge as the top three most risky locations. When the City of London is merged with the Metropolitan Police area, business cash intensity and organised crime/international connections are the main components that explain the risk score. For Greater Manchester, the presence of organised crime and international connections become the most important components, while for Dyfed-Powys, connection to risky jurisdictions is the main component. Both models indicate that the overall risk is highest in large urban locations, such as the Metropolitan Police area and Greater Manchester. Indeed, this is further illustrated visually in Fig. 1 and 2 below, where risk levels across all areas in the models are presented.
However, findings also reveal some surprising high-risk locations-such as Dyfed-Powys, a predominantly rural location-that many might not consider to be at high risk.  Therefore, an attempt was made to test the validity of the two models by correlating the composite risk scores for each area with existing measures of ML. Two measures, ML offences per 1 million population (2012-2015) 9 and percentage of businesses subject to ML regulations across all 43 areas, were used. Correlations are presented in Table 7, where it is illustrated that in relation to Model 1, both indicators are strongly correlated with the composite risk scores. However, for Model 2, there is a negative correlation with ML offences. While regulated business remain significantly correlated, the strength of the correlation is much weaker than in Model 1. It is evident that merging the City of London with the Metropolitan Police area impacts upon the strength of the correlations in relation to the validation variables used. However, caution needs to be expressed here: any validation measures need to be robust measures of actual ML activity, and it is not clear whether the measures used here can be described as such. The correlations indicate that the models are a good fit with the locations of regulated businesses and, when the City of London is not included with the Metropolitan Police area, with average numbers of ML offences. However, prosecutions for ML offences could largely be a function of policing priorities (rather than where ML actually occurs), and the presence of businesses subject to ML regulation might not actually be a good indicator of where the actual opportunities for ML can be found (see also Ferwerda and Kleemans in this edition). Therefore, more reliable validation variables or measures of ML activity are also required in the UK to develop a more robust risk model. 9 These are based upon numbers of prosecutions for proceeds of crime offences as reported in official Home Office statistics.

Discussion and Summary
This paper outlines an approach to assessing the risk of ML across the 43 police areas in England and Wales. While these findings are not definitive, the major contribution of the approach is to provide an illustration of a methodological approach that could identify highrisk locations. This complements the existing UK NRA approach (see HM Treasury 2015 and 2017) and could potentially be used in future NRAs. Indeed, the major strength is that a transparent approach is developed whereby the complex phenomenon of ML-which comprises multiple threats and vulnerabilities-can be placed into a single composite indicator. As illustrated above, this indicator allows for risk scores to be developed that can rank geographical locations according to threats and vulnerabilities, The approach also allows for a more detailed analysis of the relationship between specific threats (such as the presence of organised crime) and vulnerabilities (such as the presence of cash-intensive businesses). It must be borne in mind that this is the first attempt to use this methodology to analyse ML risk in the UK. For the approach to be developed as a more robust measure of risk, several improvements need to be made. The primary problem in the UK context is the paucity of available data. For example, in relation to threats, several other potential proxy measures were considered, such as tax-gap data and asset confiscation. The evidence suggests that tax-gap data is a good measure of potential flows of money that might be laundered into the illicit economy. The UK tax gap equates to 6.5% of tax that should, in theory, be collected (HMRC 2016). However, tax-gap data are presently not available at a subnational level in the UK. Asset confiscation was also considered as an alternative measure of organised crime infiltration. Asset confiscation is the main means by which the government seeks to deprive criminals of their illicit gains (National Audit Office 2013). However, as with tax-gap data, these data are not currently available at a subnational level, and information is not publicly available in relation to types of enterprises that those individuals issued with asset confiscation orders invest in, or where they try to launder money.
A further key limitation of the UK data is the absence of valid information in relation to measures of actual occurrences of ML. There is a paucity of data in relation to convictions for ML offences, and SAR data lack validity. Indeed, there are ways to improve the validity of SAR data that would be useful in this instance. The volume of SARs submitted to the UK Financial Intelligence Unit (UKFIU) each year is substantial and continues to rise annually. For example, for 2014-2015, the total number of SARs received was 381,882 (National Crime Agency 2015). In recent years, however, increasing concerns have been raised about the volume of SARs being submitted and the capabilities of the UK SARs database (known as ELMER) to conduct analysis that can inform knowledge about risk. However, as it stands, the overwhelming majority of UK SARs are made by the banking sector as part of their compliance with ML regulations. The result is that the UK collects thousands of SARs that provide no information about distribution of risk across the business population. The SARs regime is currently subject to review in the hope of developing a more robust database that informs knowledge about risk (see Home office/HM Treasury 2016). This research suggests that SARs would be of greater value if data were not only collected in relation to types of businesses in which attempts are made to launder money, but also who is trying launder the money, what types of businesses/organisations are they from, where they (or their businesses) are located and whether the report was validated as being a genuine attempt to launder money. This would immediately yield a data set with valuable threats and vulnerabilities data. Although the SARs regime is being reviewed, it is unclear whether future analytical capabilities will be able to identify threats and vulnerabilities as envisaged here.
While data availability is always going to be a challenge when developing a risk-based model, there are wider issues to be borne in mind that limit its utility. First, a question might be asked about how accurately the proxy measures identified in the literature can predict the likelihood of ML risk. However, this is a question that can only be answered as similar models are developed and subjected to validity tests. Second, the methodology cannot account for known emerging threats, such as the use of virtual currencies for which little quantifiable data exist. Third, it is difficult to account for some vulnerabilities, such as gaps in AML regulation, that might be key drivers of ML risk but are difficult to measure at a subnational or business level. Here, the more qualitative assessments from those working with virtual currencies or in AML regulatory compliance might be of value. Fourth, care must be taken when interpreting area/or geographically risk-based models, as there is an underlying assumption of a spatial association/connection between ML threats and vulnerabilities (rather than the cross-border nature of ML). It is, of course, plausible that money may be laundered in locations that are not spatially close to where the proceeds of crime are generated, especially where international transit hubs exist, OCGs have strong transnational connections and when money is easily moved electronically. Indeed, the international movement of money is flagged as a key threat in the UK (HM Treasury 2015 and 2017), though it is difficult to develop a proxy measure for this threat.
Of course, the potential utility of the risk-based approach is also dependent upon how it might be used to develop preventative approaches. The approach could clearly help identify locations at the highest risk or, as has been evidenced in other papers in this special issue, business sectors, which offer the most compelling opportunities for ML. Such findings might not only inform national strategies to prevent laundering, there is also the potential to use a similar approach to develop more localised hotspot maps that could move from analysis at the subnational level (i.e. police force areas, as illustrated in this paper) to micro-locations, such as local police neighbourhood units. This would offer a more robust tool for identifying the geographies at risk than currently exists and could aid the development of a range of potential preventative strategies targeted to localities and specific business sectors.
While the potential utility of the approach outlined in this paper is evident, at present, it is clear the UK does not have adequate data available to build a robust quantitative assessment of threats and vulnerabilities. Moreover, critics might even ask whether those in policy circles fully recognise the value of a robust NRA. A review of the current UK Action Plan for anti-ML and counter-terrorist finance (Home Office/HM Treasury 2016) suggests the UK is primarily committed to developing a robust law enforcement response to ML (catching and convicting offenders) rather than identifying where vulnerabilities exist (which could then be developed into preventative strategies designed to close opportunities for laundering). The focus on law enforcement is illustrated by the fact that six of the 19 action points in the plan focus on enhancing the law-enforcement response, with a further six focusing on building international links and partnerships (which focus primarily on intelligence gathering and investigation). However, this is not to say that there is no reference in the plan to risk-based approaches, identification of vulnerabilities and preventative strategies. Indeed, a commitment is made to improving the effectiveness of the supervisory regime and to move from a tick-box to a risk-based regime that would focus on areas of highest risk (Home Office/HM Treasury 2016: 22). Plans have been established to reform the current SAR regime through developing an SAR regime that will assist in managing risks and vulnerabilities (Home Pffice/HM Treasury 2016: 12). There is also a commitment to remove inconsistencies observed in the NRA and to develop a common risk assessment methodology across obliged entities (Home Office/HM Treasury 2016: 24). There is reference to reducing vulnerabilities, which refers to closing loopholes that can be exploited to raise and move funds; there is also a commitment to deliver prevention awareness campaigns (targeted to professionals in the regulated sectors, businesses and consumers).
Despite the references in the UK Action Plan to risk-based approaches, vulnerabilities and prevention, there are three main concerns. First, although reference is made in the action plan to the 2015 UK NRA, none of the data presented in the NRA are used to formulate any of the action points. Thus, there is an absence of a notable connection between the evidence presented in the 2015 NRA and the development of the action plan. Of course, this might partly be due to a lack of confidence in the findings of the NRA and the recognition that there are large gaps in the data at present, but it does little Bto ensure that measures … are commensurate with the risks identified^, as suggested in the FATF guidance (FATF 2013: 6). Indeed, to develop a credible and comprehensive action plan to prevent ML, one would expect the plan to be (at least partially) well informed by data collected in the NRA. Second, a significant part of the action plan is based around the further responsibilisation of regulated businesses in the fight against ML by ensuring they complete their own risk assessments (to comply with the recommendation of Art. 8 of the 4th AML directive). This in itself is not necessarily problematic, but it suggests it is thought that it is only regulated businesses in which there is a risk of ML and so reemphasises the responsibility of these businesses (Levi 2014). Although it might be considered reasonable to emphasise in the action plan the role of business in preventing ML, one might question whether it is only regulated businesses that are at risk of ML. Third, the heavy focus in the plan on law enforcement suggests that the government favours approaches to AML based upon chasing suspects and confiscating assets upon conviction (rather than seeking to identify, prevent and close opportunities). However, the wider evidence suggests that across most crime types, investigation and enforcement are only likely to have a limited impact on reducing the extent of the problem, as only a small proportion of offenders can ever be investigated and they are only ever responsible for a limited proportion of crime. Indeed, a wide body of research suggests that seeking to reduce crime opportunities can yield significant dividends in preventing crime (Clarke and Bowers 2017). This paper suggests that identifying where opportunities for ML exist-be they geographical or across business sectors-and reducing the major predicate offences that generate profits from crime might be more fruitful long-term approaches to reducing the extent of ML.
While the UK NRAs are comprehensive documents, the limited methodological approach means it is difficult to conclude that they provide the robust risk assessment that identifies where ML opportunities exist. The approach outlined in this paper is not necessarily an alternative but it is an approach that is transparent, replicable and could complement the more qualitatively focused UK assessments. In the absence of transparent and robust assessments, the concern is that national policy will continue to focus on enforcement and investigation, rather than properly understanding where opportunities for ML exist. Of course, the charge might also be made that those in policy circles view NRAs as being of limited value, as crime groups will always be a step ahead and identify new ways to launder proceeds of their crime. Therefore, such exercises might inform, but they cannot be the key drivers of policy. However, a major consequence of this view could be that NRAs become another tick-box exercise that does little to drive future preventative strategies.