According to the Financial Action Task Force (FATF), financial institutions (FIs) should be required to implement programs against money laundering and terrorist financing.1 The program should support the development of prevention and mitigation measures that are commensurate to the financial crime risk faced. This drives how institutions allocate their compliance resources, organize their internal controls, their internal structures and how they implement policies as well as procedures to deter and detect money laundering/terrorist financing across the enterprise.2
When thinking about how institutions have fared in adopting this guidance, recent regulatory fines lead us to conclude that improvement is needed. In 2019, 20 anti-money laundering penalties were issued globally, totaling over $352.5 million. What is more, $339.3 million of these were handed down to FIs.3
The root cause for the majority of serious compliance violations has its origins in the risk-based approach. This article will explain why a risk-led approach is key for an effective program and it will go into detail about designing a risk-based approach and walkthrough key program attributes, starting with the inherent risk assessment.
Pillars of an Anti-financial Crimes Program
A robust program prevents, detects and deters financial crime through the implementation of frameworks and controls. The ultimate objective is to create an environment unattractive to criminals looking to launder ill-gotten funds. Avoiding noncompliance penalties and preserving reputation are other reasons to take program building seriously.
The risk-based approach is the bedrock of the program that reflects not only the institution’s appetite for risk but its overall philosophy toward its management and mitigation. The risk-based approach acts as a blueprint for the measures taken to prevent or mitigate financial crime while ensuring they are commensurate with the risks identified. Taking a risk-sensitive approach is good for the bottom line as a well-constructed risk-based approach will aid in efficiently distributing resources with priority going to the higher-risk areas.
The foundational program pillars are grounded in the risk-based approach bedrock and allow the institution to assess inherent risks, develop and apply written policies and procedures, train its employees and assess effectiveness through ongoing program audits. By establishing strong pillars, an institution can effectively carry out due diligence on clients, apply enhanced measures to high-risk events and monitor and report suspicious transactions.
The role of the compliance officer should not be understated. While this individual is not considered part of the core pillars per se, their leadership, expertise and influence drive the overall management and oversight of risks within the program.
Inherent Risk Assessment
If the risk-based approach is the bedrock by which to build an effective program, the risk assessment is the foundation. When the institution is building one for the first time or undergoing an audit, it is an opportunity to showcase to stakeholders that you know your business and perform the necessary research to flesh out all material risks and vulnerabilities within your organization.
Risk assessments should capture the relevant factors that make the institution susceptible to financial crime. Some of these factors include the following:
- The types of products and services offered, including their characteristics and features, and the delivery channels through which clients can access products and services
- The type of business relationships the institution holds
- The geographic footprint, including locations of agents and contractors
- The plans with respect to the rollout of new technologies or innovations
Put yourself in the shoes of a criminal; their objective is to exploit vulnerable spots and launder their money undetected. This is far from a box-ticking exercise and requires extensive exploration with line owners and subject-matter experts across the enterprise.
Once you thoroughly understand the business and clients, it is time to develop a methodology. Institutions often struggle with documenting the rationale that shows the thought process for arriving at conclusions about risk. Common pitfalls include missing or incomplete explanations for how risk scores and weightings are determined, and the factors or attributes considered.
Find the right balance between being prescriptive and principle-based. Being too structured will slow your response to rapidly evolving threats and fall short of regulator expectations. Conversely, risk assessments that allow for unbridled discretion will lead to disagreements among business groups over its application and result in inconsistencies and, ultimately, inaccurate results.
Institutions that rely on data-driven or automated models must adequately map to the original data source. Many institutions rush through this step resulting in an inaccurate view of the risks faced by the organization. This could land you in hot water with regulators who expect comprehensive documentation around decisions.
There are situations where institutions manually override risk elements due to an exception or the presence of new data. Formal documentation and senior management approvals should accompany such decisions. This is especially if you decide to override established policy by downgrading risk. If done incorrectly, it could expose the business to noncompliance, especially if the justification is not clear and watertight.
Customer Risk Assessment
Institutions must understand who their clients are and perform the necessary know your customer (KYC) and customer due diligence measures (CDD) during initial onboarding and throughout the relationship. The data collected from these processes should inform a dynamic methodology with established weightings based on the client’s profile. Risk classification will be different for a client who is a foreign politically exposed person with businesses in a high-risk country compared to a retired schoolteacher living off a modest pension.
It is important for the methodology to have an equal measure of static and dynamic factors. A customer risk assessment that overly focuses on occupation or geography may overlook transaction patterns and behaviors that lead to red flags or worse.
Classifying client populations into risk categories is challenging for large institutions with a significant client base. The key is to develop the methodology early and prioritize its application, starting with the highest-risk customers.
Once the institution has segmented its client population into the appropriate risk levels, it must apply the measures according to the thresholds established by its own standard. The institution must practice what it preaches and implement the approach evenly across the business. Be prepared to adjust your client’s risk rating based on new information obtained during the course of the relationship. This could be from triggering events like suspicious transactions, scheduled KYC refreshes or periodic reviews of the client’s activity.
If, during the relationship, the client exceeds the established risk parameters, decide if you maintain the relationship with enhanced measures or part ways with the client. The decision to exit the relationship should have the backing of the business line owner with sign-off from compliance and senior management.
Enriching the Risk-Based Approach
With the risk assessment in place, the institution can leverage the document to inform the design and execution of its transaction-monitoring program. Outcomes of the transaction monitoring process should feed back into the risk-based assessment and vice versa. If a client’s transaction activity is making your system work overtime, consider adjusting their risk rating.
Advances in artificial intelligence, machine learning and algorithmic decision-making are creating unprecedented opportunities in how institutions monitor their customers’ activity. The market is awash with experts with the latest in detection software and technology. Sophisticated analytics approaches drive models for transaction monitoring, customer risk rating, sanctions, list screening and fraud detection. Institutions are spending billions on researching and developing their own proprietary models. How does one go about validating the models?
Model validation, in our context, is the set of processes and activities intended to verify that models are performing as expected, in line with their design objectives and business uses.4
The deployment of your rules should be on a risk-sensitive basis. In other words, the frequency and intensity of monitoring must be commensurate to the risk that it seeks to mitigate. The monitoring schedule for a cash-intensive business with a history of suspicious transactions will look very different from a retail worker who uses their account to pay weekly bills and groceries.
The best practices when building a model include the following:
- Policies, procedures and good governance that support the model
- Regular system maintenance through optimization and tuning
- Adequate coverage of products and services with exceptions is documented
- Conducting evaluations for data that was missed when it should have been caught by the system due to a false negative vis-a-vis below-line testing and data that was caught and discounted due to a false positive vis-a-vis above-line testing
- Alignment with legal requirements and regulator expectations
Institutions spend weeks or even months fine-tuning their scenarios only to be surprised by the volume of alerts when the tool goes live. A backlog of cases can easily overwhelm your team with unproductive work. Remediation efforts should be well documented and aligned with the institution’s RBA. Sorting or filtering the queue may reveal data points with high-risk attributes or outright red flags. Prioritize these alerts in your workflow.
This article explained the importance of taking a risk-based approach when building an anti-financial crime (AFC) program. The key features of a risk-based approach are the inherent risk assessment and client risk assessment. Your transaction-monitoring program reflects the methodology in action and outcomes from generated alerts, cases and unusual activities should feed back into the RBA and client risk scores.
Before setting about building your AFC program, spend sufficient time thinking about your risk-based approach—including appetites, objectives and overall mandate of the program. Albert Einstein is famously quoted as saying, “If I were given one hour to save the planet, I would spend 59 minutes defining the problem and one minute resolving it.” Professionals within compliance are keen to get on with the day-to-day running of the program. Failing to spend the necessary upfront investment may lead to long-term systemic issues within the program.
The views, thoughts and opinions expressed in this article belong to those of the author and do not necessarily represent the views or position of the author’s employer.
- “International Standards On Combating Money Laundering And The Financing Of Terrorism & Proliferation: The FATF Recommendations,” Financial Action Task Force, Updated March 2022, https://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF Recommendations 2012.pdf
- “Guidance for a Risk Based Approach: The Banking Sector,” Financial Action Task Force, October 2014, http://www.fatf-gafi.org/media/fatf/documents/reports/Risk-Based-Approach-Banking-Sector.pdf
- Henry Balani, “Over $352.5 million of fines handed out globally in last four months,” Encompass Corporation, September 16, 2019, https://www.encompasscorporation.com/blog/over-352-5-million-of-fines-handed-out-globally-in-last-four-months/.
- Vijaya Venkataramani, “What is Financial Crime Validation and how can it help your organisation?” Contineo Financial Risk Solutions, https://www.contineofrs.com/what-is-financial-crime-validation-and-how-can-it-help-your-organisation - :~:text=Financial%20crime%20validation%20is%20the,design%20objectives%20and%20business%20uses..