As technology continues to advance, the financial and crypto-asset sectors have become more complex, and crimes have become more sophisticated and technologically advanced, making them more difficult to detect.
This leaves firms vulnerable to criminal activity. The question of how to “separate the wheat from the chaff” and find the bad actors among a bunch of perfectly legitimate customers is more important than ever.
The risk-based approach could be the answer, but only if it is applied correctly: you could be prepared to stay on the safe side with the regulator while ensuring uninterrupted service to your customers.
In this blog, we’ll explore some of the tools and techniques available for evaluating AML (Anti-Money Laundering) risk management solutions, considering regulatory requirements, the need to protect your business from being used for criminal purposes, and the obvious business need to deliver the best customer experience and operate profitably.
Understanding the importance of AML risk assessment in AML/CFT compliance programs
In simple terms, the risk-based approach is just a fancy term for segmenting your customer portfolio into groups for the sole purpose of filtering out the possible wrongdoers from those who do not raise concerns about possible links to criminal activity.
AML risk assessment is another word combination used by the regulator that indicates the same approach – don’t be chaotic, use your resources wisely, don’t bother customers who are not risky and focus your efforts on customers who are possible criminals or associated with criminal activity.
A risk-based approach is at the heart of any AML/CFT compliance programme and rests on two pillars: holistic (enterprise-wide or business-wide) risk assessment and targeted (individual customer) risk assessment. ML/TF risk assessment should be an integral part of the firm’s overall risk management framework and target the basic steps of risk management: risk identification, risk assessment, risk control, and risk mitigation or avoidance (the latter should be used carefully and should not lead to de-risking of the entire client group).
Sounds simple? In theory it is but putting it into practice raises a number of issues. The wrong implementation of a risk-based approach can, at best, result in unhappy customers burdened with unnecessary enhanced due diligence, and, at worst, waste resources and miss criminal activity. Here are some tips from our experts on how to approach risk assessment.
Holistic customer segmentation or Enterprise-Wide Risk Assessment (EWRA)
If you have a ‘chicken or the egg’ conundrum, the answer is simple – enterprise-wide risk assessment always comes first. If you are a start-up, the holistic view of your ML/TF risks should be based on your business plan, which should be updated later with actual data.
Enterprise-wide risk assessment (or EWRA) is not a standalone exercise undertaken simply to satisfy the regulator. If done properly, EWRA could give you an answer on your target customer profile based on “peer grouping” and this already sets some thresholds for further individual customer risk scoring and transaction monitoring. EWRA could give you some insight into:
The ML/TF risks of your target customers and the weaknesses in the AML/CFT controls applied to these customers (or possible risks and possible controls if you are in the start-up phase);
How to establish individual customer ML/TF risk assessment criteria, including criteria for triggering enhanced due diligence;
How to tailor your transaction monitoring model: setting thresholds and limits for certain rules, customizing the frequency and intensity of transaction monitoring for certain customer groups;
Determine the basis for calculating the actual resources required to implement the necessary AML/CFT controls.
Quantitative data should form the basis of the assessment of inherent ML/TF risks (either actual data over the selected business period or business plan), so data quality must be ensured, including data accuracy, so that the company can be confident that it is implementing the necessary AML/CFT controls:
Accuracy, so that the company can be confident that material distortions of the actual AML/TF results are avoided;
Completeness (including data from all business units).
The larger companies are using more sophisticated tools to obtain statistics from their internal databases, but so far it is still a challenge to ensure that accurate and complete data would feed into the EWRA results.
To ensure that the residual ML/TF risk is properly assessed, an overview of AML/CFT controls is required. Compliance reports, audit reports, reports on the results of monitoring back-testing, reports on operational risk incidents could be the source that the firm would be willing to examine before deciding whether the controls are adequate.
The assessment of residual risk is subject to the risk assessment model used by the entity. As with all risk assessment models, the risk assessment model used for EWRA should be validated.
Targeted risk assessment or individual customer risk assessment
The data collected from customers (KYC data) forms the basis for the individual customer risk assessment. When developing KYC questionnaires, the firm should use the results of the EWRA and consider having more comprehensive questionnaires for those customer segments that are exposed to higher risks and possibly simplified KYC questionnaires for those that do not raise concerns.
However, an individual client poses an individual risk relative to his or her peer group, and this should also be considered. For example, a corporate customer domiciled in a low-risk country and using only domestic payment initiation services may pose a different risk to the same customer that expands its services to include cross-border payments to and from high-risk countries.
The higher risk clients will be subject to enhanced due diligence procedures, which will include not only additional data collection (e.g., on source of funds and assets), but also enhanced monitoring and senior management involvement in the client onboarding decision process. Therefore, to avoid overburdening the business with additional processes, you may be willing to have an accurate client risk scoring tool that addresses ML/TF risks in a way that satisfies the regulator and keeps the process as burdensome as possible for the business and, later, its clients. In developing a risk scoring model, you may wish to consider:
whether the risk scoring model meets all the mandatory criteria set by the regulator (client, geography, product, channel);
whether the risk scoring model takes into account the mandatory high-risk situations set by the regulator (e.g. an automatic high-risk score could be applied if the customer is a politically exposed person, registered in the high-risk country, etc.);
if the weighting of the risk criteria is not unduly influenced by a single factor and/or does not lead to a situation where it is impossible to classify any business relationship as high risk;
if it is possible to override the automatically generated risk score if necessary;
where the individual customer risk score is reviewed on a regular basis or when trigger events occur (e.g. when the customer wishes to take out a new product or service, when a certain transaction threshold is reached, etc.);
where the customer re-scoring is applied when there are significant changes to the risk scoring model or when there are significant changes to components of the risk scoring model (e.g. significant changes to the geographical risk score due to external factors such as inclusion of the country on the FATF grey or black list).
Although KYC data is an important part of the risk assessment, the company should consider including internal and external data sources as additional information that could be evaluated as additional customer risk criteria, such as customer behavior, transaction history, internal investigation data, adverse media screening information, regulatory or law enforcement inquiries, etc.
Validation of risk assessment models
Assessing the risk of money laundering in a business or financial institution. By analyzing customer and transaction data, AML risk assessment helps organizations determine the likelihood of money laundering activities and implement effective risk management strategies to mitigate these risks.
The primary objective of AML risk assessment is to identify potential risks and vulnerabilities in an organization’s operations, systems and processes. This process enables organizations to develop risk management plans that address any weaknesses and vulnerabilities and prevent or mitigate money laundering risks. Effective AML risk assessment and management plans can help organizations avoid hefty fines, reputational damage and legal repercussions.
AML risk assessment tools
To effectively manage AML risks, organizations can use a variety of tools. One of the most common techniques is risk scoring, which involves assigning scores to customers based on their risk level. By analyzing data such as transaction history, location and occupation, organizations can identify customers who pose a higher risk of money laundering.
Transaction monitoring is another tool that enables businesses to assess and flag suspicious transactions in real time. This can be achieved using algorithms that look for patterns and anomalies that may indicate money laundering activity.
AML risk management techniques
Once organizations have identified the risks of money laundering, they need to implement effective risk management techniques to mitigate these risks. Rules-based monitoring is one such technique that organizations can use to identify suspicious transactions. This involves creating specific rules to help identify suspicious transactions based on pre-defined criteria.
Another effective risk management technique is to train employees to identify and report suspicious activity. This can be achieved through regular training sessions that educate employees about the risks of money laundering and how to spot potential red flags.
Statistics on AML risks in the digital age
Criminals are increasingly using digital channels to launder money, according to a report by the Financial Action Task Force (FATF). The report states that “the number of cases in which virtual assets have been used for money laundering has increased rapidly in recent years”. This highlights the importance of implementing effective AML risk assessment and management strategies in the digital age.
The report also identifies some of the key challenges organizations face in managing AML risk in the digital age. These challenges include the complexity of digital transactions, the lack of regulation in some jurisdictions and the use of new technologies such as virtual currencies and online payment systems.
In today’s fast-paced digital world, money laundering poses a significant threat to businesses and financial institutions. But with the right tools and techniques, it’s possible to stay one step ahead of potential risks. By implementing AML risk assessment and management strategies, organizations can protect themselves and their customers from the damaging effects of fraudulent activity.
Effective AML risk assessment and management plans can help businesses avoid hefty fines, reputational damage and legal repercussions. So whether you’re a seasoned financial professional or just starting out in the industry, now is the time to take action and protect your business from the ever-evolving threats of money laundering. Remember, an ounce of prevention is worth a pound of cure!
You should consider the mandatory criteria set by the regulator, but should also take into account the specifics of your business model:
When considering customer risk, you may want to consider what part of your business will be focused on individual customers and what part of your business will be focused on businesses. When analyzing the latter, consider the type of companies you will be serving (e.g. private or public companies), the industries these companies represent (e.g. gambling, finance, real estate, precious metals, crypto asset exchanges, sports, cash-intensive businesses, etc.) and other possible customer groups.
When considering product/service risk, carefully analyze their business model and cash flow schemes. When analyzing products and services, ask yourself whether you really understand the AML/CFT requirements associated with the services you provide (e.g. if you offer BaaS or related banking services).
Different countries may pose different challenges due to differences in AML/CFT frameworks, so you may want to consider the location of the target customer, the direction of the money flow, and the ML/TF risks associated with it.
If you are planning to use the network of agents or intermediaries, do not forget to include them when considering the service channel risk.
When analyzing the customer group, the firm should identify possible ML/TF risks associated with this group and identify control weaknesses in order to take the necessary risk mitigation measures.