Regulators are increasingly turning toward a risk-based approach, as opposed to prescriptive measures, for many areas of compliance. When it comes to Anti-Money Laundering (AML), the Financial Action Task Force (FATF), an inter-governmental body that sets international goals for AML, stated in 2012 that “the risk-based approach (RBA) is central to the effective implementation of the FATF Recommendations.”
How, though, can compliance determine what is the level of risk and what are appropriate measures to mitigate that risk? What are effective strategies and procedures to determine that the RBA is in fact robust and that it protects the organization and meets the expectations of regulators?
Reasons for a risk-based approach
Consider why the FATF and regulators are proponents for RBA. If regulators do provide specific criteria to meet, often taking measures to meet that criteria are the only steps done. As opposed to creating compliance programs that are resilient and actually deter money laundering, it’s about just getting over a minimum bar.
Especially in the current pace of rapid technology developments, criminals always seem to be a few steps ahead of the regulators and legal system. The RBA approach bypasses the need to discover, understand, debate and implement specific measures to combat every new threat, so it’s more flexible, quicker to adapt and provides a common-sense philosophy to guide compliance to do the right thing. Are you considering the risks appropriately? Are you taking reasonable actions?
There’s also a practical, bottom-line reality to RBA: spend more time, money and energy on those risks that are more dangerous, more likely to cause harm. Not all threats are equal, so why treat all threats the same?
The RBA approach is about thinking systematically about your business, your customers, your partners, your regulators, and the security and risk environment. It’s the systematic thinking that is critical and what regulators are looking for, not an occasional lapse or oversight. A solid compliance program is characterized by actively trying to consider the possibilities and taking preventive actions. As Zhang Fan, CAMS, vice chairman, Macau Anti-Money Laundering Specialists Association, Bank of China, Macau states, regulated organizations “should consider the risk for money laundering as one of the angles for examining customers and business operations, while driving the gradual integration of various business operation management measures such as credit risks, market risks and operational risks.”
1. Determine the risk profile
Well before any actual customer due diligence occurs, the organization needs to have a risk assessment in place; what are the risk factors for that organization and how are they set up to deal with them?
The first step is determining the risk profile, the inherent risk of an organization, which can vary widely based on factors such as these:
- What industry are they in?
- What jurisdictions are they in?
- What jurisdictions are their customers in?
- What types of products and services do they offer?
- What types of transactions are involved?
- What volume of transactions?
- What is the value of transactions?
- What types of companies do they deal with?
- Who owns and operates these companies?
- What third parties do they deal with?
Understanding overall risk scenarios and determining what risks and risk levels are appropriate to the institution helps limit the scope of compliance considerations. Not all organizations will accept all types of businesses, so establishing criteria focuses the organization on threats associated with the actual risk profile.
Even then, risk assessments have an abundance of information to consider. One crucial consideration: does your organization have the expertise to adequately gauge the risk? Does it have the expertise in that field and the seniority to ensure that decisions are adequately considered? As one enforcement action by the Australian Transaction Reports and Analysis Centre (AUSTRAC) stated, “the unit responsible for monitoring the Bank’s domestic and foreign retail customer accounts was understaffed, and the personnel lacked the requisite knowledge and expertise to adequately perform their duties.”
If there is sufficient expertise, fortunately there are numerous resources that provide guidance, knowledge and feedback to help deliver a robust risk assessment framework. The FATF is a goldmine of information and has the advantage of looking at money laundering from a global perspective. While the FATF does not set actual law or regulations, they do provide best practices. And, as their recommendations do guide jurisdiction-specific implementations, adhering to their suggested practices does help create a long-term viable AML program.
Another international organization, The Wolfsberg Group, also provides guidance for the management of financial crime risks. The Group represents 13 global banks that came together in 2000 to create AML guidelines for private banking. While many financial organizations might not offer those specific services, The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption provide deep insight into the thinking and procedures for risk assessments.
2. Implement risk controls
A risk assessment also needs to consider the control effectiveness, that is, the mitigating measures that the organization puts in place:
- What governance structures exist?
- What are the policies and procedures?
- What are the KYC and due diligence systems?
- What other risk assessments require consideration?
- What management checks and oversight have been done?
- What are the record-keeping and reporting methods?
- What types of AML controls, training and testing are operational?
Each of these control systems (and more) require consideration, both from a program design point of view and for implementation effectiveness. Ongoing self-assessments make sense, always analyzing various parts of the overall program, especially when major changes are occurring. Whether it’s a new offering, a changed regulation, staff changes or other alterations, it’s important to always ensure that assessments are current.
Deploying a third-party assessment from an independent source on an occasional basis is also a best practice. One recommendation, from the US Federal Financial Institutions Examination Council (FFIEC), is to conduct independent testing generally every 12 to 18 months.
3. Balance the residual risk
To complete a risk assessment, one more phase is required: comparing the risk profile to the risk controls to gauge how effectively the controls match the risk. As the Wolfsberg Group puts it, “residual risk is the risk that remains after controls are applied to the inherent risk. It is determined by balancing the level of inherent risk with the overall strength of the risk management activities/controls.”
This step, the balancing of risks with controls, is the key to operating an RBA. Obviously, if the risk profile is inaccurate, or a risk control is weak or non-existent, then this whole approach becomes unworkable. However, if the assessments are accurate and the systems effective, then the residual risk and the necessary adjustments should be apparent. Simply put, the higher the risk, the more controls should be in place.
Once an effective risk-based approach is established, ongoing operations should allow for reasonably quick input of any new information. For example, a new applicant who has an unusual profile applies to become a customer; without a robust RBA, they’d have to be considered on a one-off basis, which might be more time consuming and costly. However, comparing this applicant to the risk profile can quickly determine whether they meet the predetermined requirements.
The strength and beauty of the risk-based approach is to provide the organization with a framework to understand risk and an operational plan on how to deal with it. Risk will always be a factor whenever there’s the possibility of money laundering. By taking a methodical approach, AML risks can be effectively managed by the organization and better serve societal imperatives.