Risk-based approach – effective procedures to determine and manage AML & KYC risk

A risk-based approach is about understanding the risks your organization faces and creating controls for these risks based on prioritizing the damage they can do. Often used by compliance teams, the approach focuses efforts based on the level of risk.

Regulators are increasingly turning toward a risk-based approach, as opposed to prescriptive measures, for many areas of compliance. When it comes to Anti-Money Laundering (AML), the Financial Action Task Force (FATF), an inter-governmental body that sets international goals for AML, stated in 2012 that “the risk-based approach (RBA) is central to the effective implementation of the FATF Recommendations.”

How, though, can compliance determine what is the level of risk and what are appropriate measures to mitigate that risk? What are effective strategies and procedures to determine that the RBA is robust and that it protects the organization and meets the expectations of regulators?

The benefits of a risk-based approach

Consider why the FATF and regulators are proponents of RBA. If regulators provide specific criteria to meet, often taking measures to meet those criteria is the only step. Instead of creating resilient compliance programs that deter money laundering, it’s about getting over a minimum bar.

Especially in the current pace of rapid technology developments, criminals always seem to be a few steps ahead of the regulators and legal system. The RBA approach bypasses the need to discover, understand, debate and implement specific measures to combat every new threat, so it’s more flexible, quicker to adapt and provides a common-sense philosophy to guide compliance to do the right thing. Are you considering the risks appropriately? Are you taking reasonable actions?

There’s also a practical, bottom-line reality to RBA: spend more time, money and energy on those risks that are more dangerous and more likely to cause harm. Not all threats are equal, so why treat all threats the same?

For example, a Know Your Customer (KYC) risk-based approach helps enable a better customer onboarding compliance program as it adjusts the verification levels based on risk factors. Low-risk customers are more quickly accepted, while higher-risk customers can have additional verification procedures added.

The RBA approach is about thinking systematically about your business, customers, partners, regulators, and the security and risk environment. It’s the critical systems thinking and what regulators are looking for, not an occasional lapse or oversight. A solid compliance program is characterized by actively considering the possibilities and taking preventive actions. As Zhang Fan, CAMS, vice chairman, Macau Anti-Money Laundering Specialists Association, Bank of China, Macau states, regulated organizations

“should consider the risk for money laundering as one of the angles for examining customers and business operations, while driving the gradual integration of various business operation management measures such as credit risks, market risks and operational risks.”

The risk-based approach has three steps: determine the risk profile, implement effective risk controls and balance the residual risk.

1. Determine the risk profile

Before any actual Customer Due Diligence occurs, the organization needs to have a risk assessment in place; what are the risk factors for that organization and how are they set up to deal with them?

The first step is determining the risk profile, the inherent risk of an organization, which can vary widely based on factors such as these:

• What industry are they in?
• What jurisdictions are they in?
• What jurisdictions are their customers in?
• What types of products and services do they offer?
• What types of transactions are involved?
• What volume of transactions?
• What is the value of transactions?
• What types of companies do they deal with?
• Who owns and operates these companies?
• What third parties do they deal with?

Identifying potential issues, understanding overall risk scenarios, and determining what risks and risk levels are appropriate to the institution helps limit the scope of compliance considerations. Not all organizations will accept all types of businesses, so establishing criteria focuses the organization on threats associated with the actual risk profile.

Even then, risk assessments have an abundance of information to consider. One crucial consideration: does your organization have the expertise to gauge the risk adequately? Does it have the expertise in that field and the seniority to ensure that decisions are adequately considered? As one enforcement action by the Australian Transaction Reports and Analysis Centre (AUSTRAC) stated, “the unit responsible for monitoring the Bank’s domestic and foreign retail customer accounts was understaffed, and the personnel lacked the requisite knowledge and expertise to adequately perform their duties.”

Fortunately, if there is sufficient expertise, there are numerous resources that provide guidance, knowledge and feedback to help deliver a robust risk assessment framework. The FATF is a goldmine of information and has the advantage of looking at money laundering from a global perspective. While the FATF does not set actual laws or regulations, they provide best practices. And, as their recommendations guide jurisdiction-specific implementations, adhering to their suggested practices does help create a long-term viable AML program.

Another international organization, The Wolfsberg Group, also guides the management of financial crime risks. The Group represents 13 global banks that came together in 2000 to create AML guidelines for private banking. While many financial organizations might not offer those specific services, The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption provides deep insight into risk assessment thinking and procedures.

2. Implement effective risk controls

A risk assessment also needs to consider the control effectiveness, that is, the mitigating measures that the organization puts in place:

• What governance structures exist?
• What are the policies and procedures?
• What are the KYC and due diligence systems?
• What other risk assessments require consideration?
• What management checks and oversight have been done?
• What are the record-keeping and reporting methods?
• What types of AML controls, training and testing are operational?

Each of these control systems (and more) requires consideration, both from a program design point of view and for implementation effectiveness. Ongoing self-assessments make sense, constantly analyzing various parts of the overall program, especially when significant changes occur. Whether it’s a new offering, a changed regulation, staff changes or other alterations, always ensure that assessments are current.

On occasion, deploying a third-party assessment from an independent source is also a best practice. Generally, the U.S. Federal Financial Institutions Examination Council (FFIEC) suggests banks update their risk assessments to reflect the bank’s risk accurately.

3. Balance the residual risk

Completing a risk assessment requires comparing the risk profile to the risk controls to gauge how effectively the controls match the risk. As the Wolfsberg Group puts it, “residual risk is the risk that remains after controls are applied to the inherent risk. It is determined by balancing the level of inherent risk with the overall strength of the risk management activities/controls.”

This step, balancing risks with controls, is the key to operating an RBA. If the risk profile is inaccurate or a risk control is weak or non-existent, then this whole approach becomes unworkable. However, if the assessments are accurate and the systems effective, the residual risk and the necessary adjustments should be apparent. The higher the risk, the more controls should be in place.

Once a practical risk-based approach is established, ongoing operations should allow for reasonably quick input of any new information. For example, a new applicant with an unusual profile applies to become a customer; without a robust RBA, they’d have to be considered as a one-off, which might be more time-consuming and costly. However, comparing this applicant to the risk profile can quickly determine whether they meet the predetermined requirements.

The individual, scenario and numerous other factors will affect the risk profile and, thus, the rule sets and workflows should also vary. They can be customized to offer the most appropriate onboarding experience based on risk, allowing lower-risk accounts to onboard seamlessly while requiring higher-risk ones to go through more robust measures as part of a balanced, risk-based approach.

The strength and beauty of the risk-based approach are to provide the organization with a framework to understand risk and an operational plan for dealing with it. Risk will always be a factor whenever there’s the possibility of money laundering. The organization can effectively manage AML risks and better serve societal imperatives by taking a systematic approach.